Creating Infrastructure for Oracle Access Management

13 Creating Infrastructure for Oracle Access Management

The following topics describe how to install and configure an initial domain, which can be used as the starting point for an enterprise deployment. Later chapters in this guide describe how to extend this initial domain with the various products and components that comprise the enterprise topology you are deploying.

A complete Oracle Identity and Access Management uses a split domain deployment, where there is a single domain for Oracle Access Management and a different one for Oracle Identity Governance. You must create a separate infrastructures for Access and Governance.

About the Initial Infrastructure Domain
Before you create the initial Infrastructure domain, ensure that you review the key concepts.
Variables Used When Creating Infrastructure for Oracle Access Management
As you perform the tasks in this chapter, you will be referencing the directory variables listed in this section.
Installing the Oracle Fusion Middleware Infrastructure
Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for Oracle Access Management.
Installing Oracle Access Management for an Enterprise Deployment
The procedure for installing Oracle Access Management in an enterprise deployment domain is explained in this section.
Configuring LDAP
It details the procedure to configure LDAP.
Creating the Database Schemas for Access Manager
Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain for Oracle Access Management. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.
Configuring the Oracle Access Management Domain
The following topics provide instructions for creating an Oracle Access Management domain using the Fusion Middleware Configuration wizard.
Configuring the Domain Directories and Starting the Servers
After the domain is created and the Node Manager is configured, you can then configure the additional domain directories and start the Administration Server and any Managed Servers on the AdminHost.
Propagating the Domain and Starting the Node Manager on OAMHOST2
After you start and validate the Administration Server and WLS_WSM1 Managed Server on OAMHOST1, you can then perform the following tasks on OAMHOST2..
Removing OAM Server from WebLogic Server 12c defaultCoherenceCluster
You must exclude all Oracle Access Management (OAM) clusters (including policy manager and OAM runtime server) from the default WebLogic Server 12c coherence cluster using the WebLogic Server Administration Console.
Adding a Load Balancer Certificate to JDK Trust Stores
Tuning the oamDS Data Source
For optimium performance, increase the number of connections allowed by the OAM data source.
Enabling Virtualization
Use the Fusion Middleware Control to enable virtualization.
Configuring the WebLogic Proxy Plug-In

Parent topic: Configuring the Enterprise Deployment

About the Initial Infrastructure Domain

Before you create the initial Infrastructure domain, ensure that you review the key concepts.

Parent topic: Creating Infrastructure for Oracle Access Management

About the Infrastructure Distribution

You create the initial Infrastructure domain for an enterprise deployment by using the Oracle Fusion Middleware Infrastructure distribution. This distribution contains both the Oracle WebLogic Server software and the Oracle JRF software.

The Oracle JRF software consists of Oracle Web Services Manager, Oracle Application Development Framework (Oracle ADF), Oracle Enterprise Manager Fusion Middleware Control, the Repository Creation Utility (RCU), and other libraries and technologies that are required to support the Oracle Fusion Middleware products.

Note:

The Access infrastructure does not use the Web Services Manager.

See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.

Parent topic: About the Initial Infrastructure Domain

Characteristics of the Domain

The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.

Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.

Characteristic of the Domain	More Information
Uses a separate virtual IP (VIP) address for the Administration Server.	Configuration of the Administration Server and Managed Servers Domain Directories
Uses separate domain directories for the Administration Server and the Managed Servers in the domain.	Configuration of the Administration Server and Managed Servers Domain Directories
Uses a per domain Node Manager configuration.	About the Node Manager Configuration in a Typical Enterprise Deployment
Requires a separately installed LDAP-based authentication provider.	Understanding OPSS and Requests to the Authentication and Authorization Stores

Parent topic: About the Initial Infrastructure Domain

Variables Used When Creating Infrastructure for Oracle Access Management

As you perform the tasks in this chapter, you will be referencing the directory variables listed in this section.

These directory variables are defined in File System and Directory Variables Used in This Guide.

IAD_ORACLE_HOME
IAD_ASERVER_HOME
IAD_MSERVER_HOME
APPLICATION_HOME
JAVA_HOME

In addition, you'll be referencing the following virtual IP (VIP) addresses and host names defined in Physical and Virtual IP Addresses Required by the Enterprise Topology:

ADMINVHN
OAMHOST1
OAMHOST2
DBHOST1
DBHOST2
SCAN Address for the Oracle RAC Database (DB-SCAN.examle.com)

Note:

Depending on the domain you are creating, you must add the prefix to ADMINVHN. For example, IAD_ADMINVHN.

Note:

The instructions in this section use the installation on OIMHOST1 and OIMHOST2 as an example. If you are creating the infrastructure domain for Access, then substitute OAMHOST1 and OAMHOST2 wherever appropriate.

Parent topic: Creating Infrastructure for Oracle Access Management

Installing the Oracle Fusion Middleware Infrastructure

Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for Oracle Access Management.

Installing a Supported JDK
Starting the Infrastructure Installer
Navigating the Infrastructure Installation Screens
Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers
Checking the Directory Structure
After you install the Oracle Fusion Middleware Infrastructure and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options that you selected during the installation.

Parent topic: Creating Infrastructure for Oracle Access Management

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

Locating and Downloading the JDK Software
Installing the JDK Software
Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

http://www.oracle.com/technetwork/java/index.html

Be sure to navigate to the download for the Java SE JDK.

Parent topic: Installing a Supported JDK

Installing the JDK Software

Oracle Fusion Middleware requires you to install a certified Java Development Kit (JDK) on your system.

You must install the JDK in the following locations:

On the shared storage device, where it will be accessible from each of the application tier host computers, install the JDK in the location specified in File System and Directory Variables Used in This Guide.
On the local storage device for each of the Web tier host computers. The Web tier host computers, which reside in the DMZ, do not necessarily have access to the shared storage on the application tier.
On the local storage device for each of the directory tier host computers, in case of the directory hosts not utilizing the shared storage.

For more information about the recommended location for the JDK software, see Understanding the Recommended Directory Structure for an Enterprise Deployment.

To install JDK 1.8.0_211:

Change directory to the location where you downloaded the JDK archive file.
```
cd download_dir
```
Unpack the archive into the JDK home directory, and then run the following commands:
```
tar -xzvf jdk-8u201-linux-x64.tar.gz
```
Note that the JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
Move the JDK directory to the recommended location in the directory structure.
For example:
```
mv ./jdk1.8.0_211 /u01/oracle/products/jdk
```
See File System and Directory Variables Used in This Guide.
Define the JAVA_HOME and PATH environment variables for running Java on the host computer.
For example:
```
export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
```
Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:
```
java -verison
```
The Java version in the output should be displayed as “1.8.0_211”.

Parent topic: Installing a Supported JDK

Starting the Infrastructure Installer

To start the installation program, perform the following steps.

Go to the directory where you downloaded the installation program.
Launch the installation program by invoking the java executable from the JDK directory on your system, as shown in the example below.
```
$JAVA_HOME/bin/java -d64 -jar distribution_file_name.jar
```
In this example:
- Replace JAVA_HOME with the environment variable or actual JDK location on your system.
- Replace distribution_file_name with the actual name of the distribution JAR file.
  
  If you download the distribution from the Oracle Technology Network (OTN), then the JAR file is typically packaged inside a downloadable ZIP file.
  
  To install the software required for the initial Infrastructure domain, the distribution you want to install is:
  
  fmw_12.2.1.4.0_infrastructure_generic.jar.
  
  For more information about the actual file names of each distribution, see Identifying and Obtaining Software Downloads for an Enterprise Deployment.

When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure

Navigating the Infrastructure Installation Screens

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.

Table 13-1 Navigating the Infrastructure Installation Screens

Screen	Description
Installation Inventory Setup	On UNIX operating systems, this screen appears if you are installing any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location. See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. Note: Oracle recommends that you configure the central inventory directory on the products shared volume. Example: `/u01/oracle/products/oraInventory` You may also need to execute the `createCentralinventory.sh` script as root from the `oraInventory` folder after the installer completes.
Welcome	This screen introduces you to the product installer.
Auto Updates	Use this screen to search My Oracle Support automatically for available patches or automatically search a local directory for patches that you have already downloaded for your organization.
Installation Location	Use this screen to specify the location of your Oracle home directory. For the purposes of an enterprise deployment, enter the value of the IGD_ORACLE_HOME variable listed in Table 8-2.
Installation Type	Use this screen to select the type of installation and as a consequence, the products and feature sets that you want to install. For this topology, select Fusion Middleware Infrastructure. Note: The topology in this document does not include server examples. Oracle strongly recommends that you do not install the examples into a production environment.
Prerequisite Checks	This screen verifies that your system meets the minimum requirements. If there are any warning or error messages, refer to the Oracle Fusion Middleware System Requirements and Specifications document on the Oracle Technology Network (OTN).
Security Updates	If you already have an Oracle Support account, use this screen to indicate how you would like to receive security updates. If you do not have one and are sure that you want to skip this step, clear the check box and verify your selection in the follow-up dialog box.
Installation Summary	Use this screen to verify the installation options that you have selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation. For more information about silent or command-line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.
Installation Progress	This screen allows you to see the progress of the installation.
Installation Complete	This screen appears when the installation is complete. Review the information on this screen, then click Finish to dismiss the installer.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure

Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers

If you have configured a separate shared storage volume or partition for secondary hosts, then you must install the Infrastructure on one of those hosts.

See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

To install the software on the other host computers in the topology, log in to each host, and use the instructions in Starting the Infrastructure Installer and Navigating the Infrastructure Installation Screens to create the Oracle home on the appropriate storage device.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure

Checking the Directory Structure

After you install the Oracle Fusion Middleware Infrastructure and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options that you selected during the installation.

To check the directory structure:

Change to the ORACLE_HOME directory where you installed the Infrastructure.
Enter the following command:
```
ls --format=single-column
```
The directory structure on your system must match the structure shown in the following example:
```
cfgtoollogs
coherence 
em 
inventory 
OPatch 
oracle_common 
oraInst.loc 
oui
wlserver
```
See What are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure

Installing Oracle Access Management for an Enterprise Deployment

The procedure for installing Oracle Access Management in an enterprise deployment domain is explained in this section.

This section contains the following procedures.

Parent topic: Creating Infrastructure for Oracle Access Management

Starting the Oracle Identity and Access Management Installation Program

To start the installation program:

Log in to OAMHOST1.
Go to the directory where you downloaded the installation program.
Launch the installation program by invoking the java executable from the JDK directory on your system, as shown in the example below.
```
JAVA_HOME/bin/java -d64 -jar fmw_12.2.1.4.0_idm_generic.jar
```
Be sure to replace the JDK location in these examples with the actual JDK location on your system.

When the installation program appears, you are ready to begin the installation.

Parent topic: Installing Oracle Access Management for an Enterprise Deployment

Navigating the Installation Screens

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name.

Screen	Description
Installation Inventory Screen	If you did not create a central inventory when you installed the Oracle Fusion Middleware Infrastructure software, then this dialog box appears. Edit the Inventory Directory field so it points to the location of your local inventory, and then click OK.
Welcome	This screen introduces you to the product installer.
Auto Updates	Use this screen to automatically search My Oracle Support for available patches or automatically search a local directory for patches that you’ve already downloaded for your organization.
Installation Location	Use this screen to specify the location of your Oracle home directory. For Oracle Identity and Access Management, this should be set to IAD_ORACLE_HOME. For more information about Oracle Fusion Middleware directory structure, see "Selecting Directories for Installation and Configuration" in Planning an Installation of Oracle Fusion Middleware.
Installation Type	Use this screen to choose the type of installation you wish to deploy. You have two options: Standalone Oracle Identity and Access Manager (Managed independently of Weblogic Server): Use this option if you are going to run Oracle Identity and Access Management with a webserver other than Weblogic. Collocated Oracle Identity and Access Manager (Managed through WebLogic Server): Use this option if you have installed Oracle Weblogic Server into IAD_ORACLE_HOME_HOME as part of the infrastructure deployment. For Oracle Enterprise deployments, it is recommended that this option be selected.
Prerequisite Checks	This screen verifies that your system meets the minimum necessary requirements. If there are any warning or error messages, you can refer to one of the documents in the Roadmap for Verifying Your System Environment section in Planning Your Oracle Fusion Middleware Infrastructure Installation.
Installation Summary	Use this screen to verify the installation options you selected. Click Install to begin the installation.
Installation Progress	This screen allows you to see the progress of the installation. Click Next when the progress bar reaches 100% complete.
Installation Complete	Review the information on this screen, then click Finish to dismiss the installer.

Parent topic: Installing Oracle Access Management for an Enterprise Deployment

Installing Oracle Access Management on the Other Host Computers

If you have followed the EDG shared storage recommendations, there is a separate shared storage volume for product installations on IAMHOST2, and you must also install the software on IAMHOST2. See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

Parent topic: Installing Oracle Access Management for an Enterprise Deployment

Verifying the Installation

After you complete the installation, you can verify it by successfully completing the following tasks.

Parent topic: Installing Oracle Access Management for an Enterprise Deployment

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that no problems were encountered. For a description of the log files and where to find them, see Understanding Installation Log Files in Installing Software with the Oracle Universal Installer.

Parent topic: Verifying the Installation

Checking the Directory Structure

The contents of your installation vary based on the options you selected during the installation.

The addition of Oracle Identity and Access Management will add the following directory and sub-directories:

IAD_ORACLE_HOME/
OPatch
cfgtoollogs
coherence
em
idm
inventory
oraInst.loc 
oracle_common
oui
wlserver

idm/
clone
common
connectors
designconsole
idmdiag
idmtools
jlib
libovd
mbeans
modules
oam
oic
opam-connectors
plugins
remote_manager
schema
server
upgrade

For more information about the directory structure you should see after installation, see "What are the Key Oracle Fusion Middleware Directories?" in Understanding Oracle Fusion Middleware.

Parent topic: Verifying the Installation

Viewing the Contents of Your Oracle Home

You can also view the contents of your Oracle home by using the viewInventory script. See Viewing the contents of an Oracle home in Installing Software with the Oracle Universal Installer.

Parent topic: Verifying the Installation

Configuring LDAP

It details the procedure to configure LDAP.

If you haven't already done so, you now need to configure your LDAP directory. To do this follow the steps in Preparing an Existing LDAP Directory.

Parent topic: Creating Infrastructure for Oracle Access Management

Creating the Database Schemas for Access Manager

Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain for Oracle Access Management. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.

Metadata Services (MDS)
Audit Services (IAU)
Audit Services Append (IAU_APPEND)
Audit Services Viewer (IAU_VIEWER)
Oracle Platform Security Services (OPSS)
User Messaging Service (UMS)
WebLogic Services (WLS)
Common Infrastructure Services (STB)
Oracle Access Manager (OAM)

Use the Repository Creation Utility (RCU) to create the schemas. This utility is installed in the Oracle home for each Oracle Fusion Middleware product. For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.

Complete the following steps to install the required schemas:

Parent topic: Creating Infrastructure for Oracle Access Management

Installing and Configuring a Certified Database

Make sure that you have installed and configured a certified database, and that the database is up and running.

See the Preparing the Database for an Enterprise Deployment.

Parent topic: Creating the Database Schemas for Access Manager

Starting the Repository Creation Utility (RCU)

To start the Repository Creation Utility (RCU):

Set the JAVA_HOME environment variable so it references the location where you installed a supported JDK.

See File System and Directory Variables Used in This Guide.
Navigate to the following directory on OAMHOSt1:
```
ORACLE_HOME/oracle_common/bin
```
Start RCU:
```
./rcu
```
Note:

If your database has Transparent Data Encryption (TDE) enabled, and you want to encrypt your tablespaces created by the RCU, provide the -encryptTablespace true option when you start the RCU.

This will default the appropriate RCU GUI Encrypt Tablespace checkbox selection on the Map Tablespaces screen without further effort during the RCU execution. See Encrypting Tablespaces in Creating Schemas with the Repository Creation Utility.

Parent topic: Creating the Database Schemas for Access Manager

Navigating the RCU Screens to Create the Schemas

Follow the instructions in this section to create the schemas for the Fusion Middleware Infrastructure domain:

Task 1 Introducing RCU

Review the Welcome screen and verify the version number for RCU. Click Next to begin.

Task 2 Selecting a Method of Schema Creation

If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges.

If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option will generate a SQL script, which can be provided to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility.

Click Next.

Tip:

For more information about the options on this screen, see Create repository in Creating Schemas with the Repository Creation Utility.

Task 3 Providing Database Connection Details

Provide the database connection details for RCU to connect to your database.

In the Host Name field, enter the SCAN address of the Oracle RAC Database.
Enter the Port number of the RAC database scan listener, for example 1521.
Enter the RAC Service Name of the database.
Enter the User Name of a user that has permissions to create schemas and schema objects, for example SYS.
Enter the Password of the user name that you provided in step 4.
If you have selected the SYS user, ensure that you set the role to SYSDBA.
Click Next to proceed, then click OK on the dialog window confirming that connection to the database was successful.

Tip:

For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.

Task 4 Specifying a Custom Prefix and Selecting Schemas

Specify the custom prefix you want to use to identify the Oracle Fusion Middleware schemas.

The custom prefix is used to logically group these schemas together for use in this domain. For Oracle Access Management, use the prefix IAD.

Tip:

Make a note of the custom prefix you choose to enter here; you will need this later, during the domain creation process.

For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility.
Select the following schemas from the list of components:
- AS Common Schemas
  
  When you select AS Common Schemas, all of the schemas in this section are automatically selected. If the schemas in this section are not automatically selected, then select the required schemas.
  - Metadata Services (MDS)
  - Audit Services (IAU)
  - Audit Services Append (IAU_APPEND)
  - Audit Services Viewer (IAU_VIEWER)
  - Oracle Platform Security Services (OPSS)
  - User Messaging Service (UMS)
  - WebLogic Services (WLS)
  - Common Infrastructure Services (STB)
- Expand the group IDM Schemas, and then select the Oracle Access Manager schema.

There are two mandatory schemas that are selected by default. You cannot deselect them: Common Infrastructure Services (the STB schema) and WebLogic Services (the WLS schema). The Common Infrastructure Services schema enables you to retrieve information from RCU during domain configuration. See Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

Tip:

For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility.

Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Task 5 Specifying Schema Passwords

Specify how you want to set the schema passwords on your database, then specify and confirm your passwords. Ensure that the complexity of the passwords meet the database security requirements before you continue. RCU will proceed at this point even if you do not meet the password polices. Hence, perform this check outside RCU itself.

Click Next.

Tip:

You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.

Task 6 Verifying the Tablespaces for the Required Schemas

You can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas.

Note:

You can configure a Fusion Middleware component to use JDBC stores for JMS servers and Transaction Logs, by using the Configuration Wizard. These JDBC stores are placed in the Weblogic Services component tablespace. If your environment expects to have a high level of transactions and/or JMS activity, you can increase the default size of the <PREFIX>_WLS tablespace to better suit the environment load.

Click Next to continue, and then click OK on the dialog window to confirm the tablespace creation.

For more information about RCU and its features and concepts, see About the Repository Creation Utility in Creating Schemas with the Repository Creation Utility.

Task 7 Creating Schemas

Review the summary of the schemas to be loaded and click Create to complete schema creation.

Note:

If failures occurred, review the listed log files to identify the root cause, resolve the defects, and then use RCU to drop and re-create the schemas before you continue.

Task 8 Reviewing Completion Summary and Completing RCU Execution

When you reach the Completion Summary screen, verify that all schema creations have been completed successfully, and then click Close to dismiss RCU.

Parent topic: Creating the Database Schemas for Access Manager

Verifying Schema Access

Verify schema access by connecting to the database as the new schema users are created by the RCU. Use SQL*Plus or another utility to connect, and provide the appropriate schema names and passwords entered in the RCU.

For example:

sqlplus <RCU_PREFIX>_OAM/<PASSWORD>@//<SCAN_ADDRESS>:<PORT>/<SERVICE_NAME>

For example:

sqlplus IADEDG_OAM/<password>@//db-scan.example.com:1521/oampdb_s.example.com

The output appears as follows:

SQL*Plus: Release 18.0.0.0.0 - Production on Mon Aug 9 01:53:57 2021
Version 18.5.0.0.0

Copyright (c) 1982, 2018, Oracle. All rights reserved.

Last Successful login time: Mon Aug 09 2021 01:52:44 -07:00

Connected to:
Oracle Database 18c Enterprise Edition Release 18.0.0.0.0 - Production
Version 18.5.0.0.0

SQL>

Parent topic: Creating the Database Schemas for Access Manager

Configuring the Oracle Access Management Domain

The following topics provide instructions for creating an Oracle Access Management domain using the Fusion Middleware Configuration wizard.

For more information on other methods available for domain creation, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Parent topic: Creating Infrastructure for Oracle Access Management

Starting the Configuration Wizard

To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home.

IAD_ORACLE_HOME/oracle_common/common/bin/config.sh

Parent topic: Configuring the Oracle Access Management Domain

Navigating the Configuration Wizard Screens to Configure Oracle Access Management Domain

Follow the instructions in the following sections to create and configure the domain for the topology with static clusters.

Note:

Oracle Access Management does not support Dynamic Clusters.

Creating the Domain with Static Clusters

Parent topic: Configuring the Oracle Access Management Domain

Creating the Domain with Static Clusters

Follow the instructions in this section to create and configure the Oracle Access Management domain for the topology.

Domain creation and configuration includes the following tasks.

Task 1 Selecting the Domain Type and Domain Home Location

On the Configuration Type screen, select Create a new domain.

In the Domain Location field, specify the value of the IAD_ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide.

Tip:

More information about the other options on this screen of the Configuration Wizard, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 2 Selecting the Configuration Templates

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates:

Oracle Access Management Suite - 12.2.1.4.0[idm]
Selecting this template automatically selects the following dependencies:
- Oracle Enterprise Manager - 12.2.1.4.0[em]
- Oracle JRF - 12.2.1.4.0[oracle_common]
- WebLogic Coherence Cluster Extension - 12.2.1.4.0[wlserver]

Tip:

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 3 Selecting the Application Home Location

On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide.

Tip:

More information about the options on this screen can be found in Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 4 Configuring the Administrator Account

On the Administrator Account screen, specify the user name and password for the default WebLogic Administrator account for the domain.

Make a note of the user name and password specified on this screen; you will need these credentials later to boot and connect to the domain's Administration Server.

Click Next.

Task 5 Specifying the Domain Mode and JDK

On the Domain Mode and JDK screen:

Select Production in the Domain Mode field.
Select the Oracle Hotspot JDK in the JDK field.

Selecting Production Mode on this screen gives your environment a higher degree of security, requiring a user name and password to deploy applications and to start the Administration Server.

Tip:

More information about the options on this screen, including the differences between development mode and production mode, can be found in Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.

In production mode, a boot identity file can be created to bypass the need to provide a user name and password when starting the Administration Server. See Creating the boot.properties File.

Click Next.

Task 6 Specifying the Database Configuration Type

On the Database Configuration Type screen:

Select RCU Data to activate the fields on this screen.

The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain.
Verify that Vendor is Oracle and Driver is *Oracle's Driver (Thin) for Service Connections; Versions: Any.
Verify that Connection Parameters is selected.

Note:

If you choose to select Manual Configuration on this screen, you will have to manually fill in the parameters for your schema on the JDBC Component Schema screen.

After you select RCU Data, fill in the fields as shown in the following table:

Field	Description
Host Name	Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook. For information about the Enterprise Deployment Workbook, see Using the Enterprise Deployment Workbook.
DBMS/Service	Enter the service name for the Oracle RAC database appropriate for this domain where you will install the product schemas. For example: `iamedg.example.com` Specify the service name based on the value configured earlier in the Preparing the Database for an Enterprise Deployment section.
Port	Enter the port number on which the database listens. For example, `1521`.
Schema Owner	Enter the user name and password for connecting to the database's Service Table schema.
Schema Password	This is the schema user name and password that was specified for the Service Table component on the "Schema Passwords" screen in RCU (see Creating the Database Schemas). The default user name is `prefix_STB`, where `prefix` is the custom prefix that you defined in RCU.

Click Get RCU Configuration when you are finished specifying the database connection information. The following output in the Connection Result Log indicates that the operating succeeded:

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

Click Next if the connection to the database is successful.

Tip:

More information about the RCU Data option can be found in Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

More information about the other options on this screen can be found in Datasource Defaults in Creating WebLogic Domains Using the Configuration Wizard.

Task 7 Specifying JDBC Component Schema Information

Verify that the values on the JDBC Component Schema screen are correct for all schemas.

The schema table should be populated, because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain.

At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment.

In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in the High Availability Guide.

To convert the data sources to GridLink:

Select all the schemas by selecting the checkbox at in the first header row of the schema table.
Click Convert to GridLink and click Next.

Task 8 Providing the GridLink Oracle RAC Database Connection Details

On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown in following table.

Element Description and Recommended Value

Element	Description and Recommended Value
SCAN, Host Name, and Port	Select the SCAN check box. In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database. In the Port field, enter the SCAN listening port for the database (for example, `1521`)
ONS Host and Port	In the ONS Host field, enter the SCAN address for the Oracle RAC database. In the Port field, enter the ONS Remote port (typically, `6200`).
Enable Fan	Verify that the Enable Fan check box is selected, so the database can receive and process FAN events.

SCAN, Host Name, and Port

Select the SCAN check box.

In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database.

In the Port field, enter the SCAN listening port for the database (for example, 1521)

ONS Host and Port

In the ONS Host field, enter the SCAN address for the Oracle RAC database.

In the Port field, enter the ONS Remote port (typically, 6200).

Enable Fan

Verify that the Enable Fan check box is selected, so the database can receive and process FAN events.

For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in the High Availability Guide.

You can also click Help to display a brief description of each field on the screen.

Click Next.

Task 9 Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections you have just configured.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.

Tip:

More information about the other options on this screen can be found in Test Component Schema in Creating WebLogic Domains Using the Configuration Wizard

Click Next.

Task 10 Selecting Advanced Configuration

To complete domain configuration for the topology, select the following options on the Advanced Configuration screen:

Administration Server

This is required to properly configure the listen address of the Administration Server.
Node Manager

This is required to configure Node Manager.
Topology

This is required to add, delete, or modify the Settings for Server Templates, Managed Servers, Clusters, Virtual Targets, and Coherence.

Note:

When using the Advanced Configuration screen in the Configuration Wizard:

If any of the above options are not available on the screen, then return to the Templates screen, and be sure you selected the required templates for this topology.
Do not select the Domain Frontend Host Capture advanced configuration option. You will later configure the frontend host property for specific clusters, rather than for the domain.

Click Next.

Task 11 Configuring the Administration Server Listen Address

On the Administration Server screen:

In the Server Name field, retain the default value - AdminServer.
In the Listen Address field, enter the virtual host name that corresponds to the VIP of the ADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment.

For more information on the reasons for using the ADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment.
In the Listen Port field, enter the port number to access the administration server. This guide recommends you to use the default port 7001 for Access.

Leave the other fields at their default values. In particular, be sure that no server groups are assigned to the Administration Server.

Click Next.

Task 12 Configuring Node Manager

Select Per Domain Default Location as the Node Manager type, then specify the following Node Manager credentials you will use to connect to the Node Manager:

Username: This is the user name used to connect to the Node Manager. For example, admin.
Password and Confirm Password: Enter the password you wish to associate with the Node Manager username.

Tip:

For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment.

For information about Node Manager configurations, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.

Click Next.

Task 13 Configuring Managed Servers

On the Managed Servers screen, a new Managed Server for Oracle Access Management appears in the list of servers.

Perform the following tasks to modify the default Oracle Access Management Managed Server and create a second Managed Server:

Rename the default Managed Server oam_server1 to WLS_OAM1.
Rename the default Managed Server oam_policy_mngr1 to WLS_AMA1.
Click Add to create a new Managed Server and name it WLS_OAM2.

Tip:

The server names recommended here will be used throughout this document; if you choose different names, be sure to replace them as needed.
Use the information in the following table to fill in the rest of the columns for each Oracle Access Manager Server.

Server Name	Listen Address	Listen Port	Enable SSL	SSL Listen Port	Server Groups
WLS_OAM1	OAMHOST1	14100	Unchecked	Disabled	OAM-MGD-SVRS
WLS_OAM2	OAMHOST2	14100	Unchecked	Disabled	OAM-MGD-SVRS
WLS_AMA1	OAMHOST1	14150	Unchecked	Disabled	OAM-POLICY-MANAGED-SERVER
WLS_AMA2	OAMHOST2	14150	Unchecked	Disabled	OAM-POLICY-MANAGED-SERVER

Tip:

More information about the options on the Managed Server screen can be found in Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 14 Configuring a Cluster

In this task, you create clusters of Managed Servers to which you can target the Oracle Access Manager software.

You must create the following clusters:

Cluster	Frontend Host	Frontend HTTP Port	Frontend HTTPS Port
OAM_Cluster	login.example.com		443
AMA_Cluster	iadadmin.example.com	80

Use the Clusters screen to create a new cluster:

Click the Add button.
Specify OAM_Cluster in the Cluster Name field.
From the Dynamic Server Groups drop-down list, select Unspecified.
Specify login.example.com for the Frontend Host field.
Specify 443 for the Frontend HTTPS Port field.

Note:

By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, refer to Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server.

Tip:

More information about the options on this screen can be found in Clusters in Creating WebLogic Domains Using the Configuration Wizard.
Repeat the steps to create the second cluster AMA_Cluster.
Click Next.

Tips:

For more information about the options on this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 15 Assigning Server Templates

Click Next to proceed to the next screen.

Task 16 Configuring Dynamic Servers

Verify that all dynamic server options are disabled for clusters that are to remain as static clusters.

Confirm that the Dynamic Cluster, Calculated Listen Port, and Calculated Machine Names checkboxes on this screen are unchecked.
Confirm the Server Template selection is Unspecified.
Click Next.

Task 17 Assigning Managed Servers to the Cluster

Use the Assign Servers to Clusters screen to assign your managed servers to the clusters you have just created. At the end of this you will have the following assignments:

Cluster	Managed Servers
OAM_Cluster	WLS_OAM1 WLS_OAM2
AMA_Cluster	WLS_AMA1 WLS_AMA2

Cluster

Managed Servers

OAM_Cluster

WLS_OAM1

WLS_OAM2

AMA_Cluster

WLS_AMA1

WLS_AMA2

In the Clusters pane, select the cluster to which you want to assign the servers.
In the Servers pane, assign the managed servers to the clusters as in the table above, using one of the following methods:
- Click once on the Managed Server to select it, then click on the right arrow to move it beneath the selected cluster in the Clusters pane.
- Double-click on managed server to move it beneath the selected cluster in the clusters pane.
Repeat to assign each managed server to a cluster as shown in the table.
Click Next to proceed to the next screen.

Tip:

More information about the options on this screen can be found in Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Task 18 Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain.

In the Cluster Listen Port, enter 9991.

Note:

For Coherence licensing information, Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual.

Click Next.

Task 19 Creating Machines for Oracle Access Management Servers

Use the Machines screen to create new machines in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers.

You must create a machine even if your topology contains just the Administration Server. To do this:

On the Unix Machines tab, click the Add button.
Enter OAMHOST1 in the Name field.
Enter the host name of OAMHOST1 for the Node Manage Listener address. Leave the Node Manager port to the default value of 5556.
Repeat the above steps for OAMHOST2.

Under the Unix Machine tab, verify the names of the machines you created when creating the initial Infrastructure domain, as shown in the following table.

Click Next to proceed.

Name	Node Manager Listen Address	Node Manager Listen Port
ADMINHOST	Enter the value of the ADMINVHN variable.	5556
OAMHOST1	The value of the OAMHOST1 host name variable. For example, `OAMHOST1.example.com`.	5556
OAMHOST2	The value of the OAMHOST2 host name variable. For example, `OAMHOST2.example.com`.	5556

Tip:

More information about the options on this screen can be found in Machines in Creating WebLogic Domains Using the Configuration Wizard.

Task 20 Assigning Servers to Machines

Use the Assign Servers to Machines screen to assign the Oracle Access Manager Managed Servers you just created to the corresponding machines in the domain. You can assign the machines as follows:

Servers	Machines
AdminServer	ADMINHOST
WLS_AMA1 WLS_OAM1	OAMHOST1
WLS_AMA2 WLS_OAM2	OAMHOST2

Servers

Machines

AdminServer

ADMINHOST

WLS_AMA1

WLS_OAM1

OAMHOST1

WLS_AMA2

WLS_OAM2

OAMHOST2

Tip:

More information about the options on this screen can be found in Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 21 Creating Virtual Targets

Click Next.

Task 22 Creating Partitions

Click Next.

Task 23 Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen contains the detailed configuration information for the domain you are about to create. Review the details of each item on the screen and verify that the information is correct.

You can go back to any previous screen if you need to make any changes, either by using the Back button or by selecting the screen in the navigation pane.

Domain creation will not begin until you click Create.

Tip:

More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Click Next.

Task 24 Writing Down Your Domain Home and Administration Server URL

The Configuration Success screen will show the following items about the domain you just configured:

Domain Location
Administration Server URL

You must make a note of both items as you will need them later; the domain location is needed to access the scripts used to start the Administration Server.

Click Finish to dismiss the Configuration Wizard.

Parent topic: Navigating the Configuration Wizard Screens to Configure Oracle Access Management Domain

Configuring the Domain Directories and Starting the Servers

After the domain is created and the Node Manager is configured, you can then configure the additional domain directories and start the Administration Server and any Managed Servers on the AdminHost.

Starting the Node Manager in the Administration Server Domain Home
Use these steps to start the per-domain Node Manager for the IAD_ASERVER_HOME domain directory.
Creating the boot.properties File
You must create a boot.properties if you want to start the Administrator Server without being prompted for the Administrator Server credentials. This step is required in an enterprise deployment. When you start the Administration Server, the credentials that you enter in this file are encrypted.
Performing the Post-Configuration Tasks for Oracle Access Management Domain
Complete the post-configuration tasks for Oracle Access Management domain.
Starting the Administration Server Using the Node Manager
After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
Validating the Administration Server
Before proceeding with the configuration steps, validate that the Administration Server has started successfully by making sure you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, which both are installed and configured on the Administration Servers.
Creating a Separate Domain Directory for Managed Servers
When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory will be used to run the Administration Server. You can now create a copy of the domain on the local storage for each of your managed server hosts. The domain directory on the local (or private) storage will be used to run the Managed Servers.
Starting the Node Manager in the Managed Server Domain Directory on OAMHOST1

Parent topic: Creating Infrastructure for Oracle Access Management

Starting the Node Manager in the Administration Server Domain Home

Use these steps to start the per-domain Node Manager for the IAD_ASERVER_HOME domain directory.

Verify that the listen address in the nodemanager.properties file is set correctly.
1. Open the nodemanager.properties file for editing:
```
vi IAD_ASERVER_HOME/nodemanager/nodemanager.properties
```
2. Make sure the ListenAddress property is set to the value of the ADMINVHN virtual IP address.
3. Make sure that QuitEnabled is set to ‘true’. If this line is not present in the nodemanager.properties file, add the following line:
```
QuitEnabled=true
```
Change to the following directory:
```
cd IAD_ASERVER_HOME/bin
```
Start the Node Manager by entering the following command:
```
nohup ./startNodeManager.sh > IAD_ASERVER_HOME/nodemanager/nodemanager.out 2>&1 &
```
For more information about additional Node Manager configuration options, see Administering Node Manager for Oracle WebLogic Server.

Parent topic: Configuring the Domain Directories and Starting the Servers

Creating the boot.properties File

You must create a boot.properties if you want to start the Administrator Server without being prompted for the Administrator Server credentials. This step is required in an enterprise deployment. When you start the Administration Server, the credentials that you enter in this file are encrypted.

To create a boot.properties file for the Administration Server:

Create the following directory structure:

mkdir -p IAD_ASERVER_HOME/servers/AdminServer/security

In a text editor, create a file called boot.properties in the security directory that you created in the previous step, and enter the Administration Server credentials that you defined when you ran the Configuration Wizard to create the domain:
```
username=adminuser
password=password
```
Note:

When you start the Administration Server, the username and password entries in the file are encrypted.

For security reasons, minimize the amount of time the entries in the file are left unencrypted; after you edit the file, you should start the server as soon as possible so that the entries are encrypted.
Save the file and close the editor.

Parent topic: Configuring the Domain Directories and Starting the Servers

Performing the Post-Configuration Tasks for Oracle Access Management Domain

Complete the post-configuration tasks for Oracle Access Management domain.

Topics:

Disabling the Derby Database
Enabling the Managed Servers to use IPv6 Networking
If the Managed Server is configured to use IPv6 networking, then you may encounter issues when you start the Managed Server.
Setting the Memory Parameters in IAMAccessDomain
The initial startup parameter in the IAMAccessDomain, which defines the memory usage, is insufficient. You must increase the value of this parameter.

Parent topic: Configuring the Domain Directories and Starting the Servers

Disabling the Derby Database

Disable the embedded Derby database, which is a file-based database, packaged with Oracle WebLogic Server. The Derby database is used primarily for development environments. As a result, you must disable it when you are configuring a production-ready enterprise deployment environment; otherwise, the Derby database process starts automatically when you start the Managed Servers.

To disable the Derby database:

Navigate to the following directory in the Oracle home:
```
cd WL_HOME/common/derby/lib
```
Rename the Derby library jar file:
```
mv derby.jar disable_derby.jar
```
If each host uses a separate file system, repeat steps 1 and 2 on each host.

Parent topic: Performing the Post-Configuration Tasks for Oracle Access Management Domain

Enabling the Managed Servers to use IPv6 Networking

If the Managed Server is configured to use IPv6 networking, then you may encounter issues when you start the Managed Server.

To do this, complete the following steps:

Edit the IAD_ASERVER_HOME/bin/setUserOverrides.sh file to add the following line:
```
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
```
Note:
If the file does not exist, then create it.
Save and close the file.

Parent topic: Performing the Post-Configuration Tasks for Oracle Access Management Domain

Setting the Memory Parameters in IAMAccessDomain

The initial startup parameter in the IAMAccessDomain, which defines the memory usage, is insufficient. You must increase the value of this parameter.

To change the memory allocation setting, do the following:

Change the following memory allocation in the IAD_ASERVER_HOME/bin/setUserOverrides.sh file, by updating the Java maximum memory allocation pool (Xmx) to 8192m and initial memory allocation pool (Xms) to 1024m. For example, add the following line to be:
```
MEM_ARGS="-Xms4096m -Xmx8192m"
```
Save and close the file.

Parent topic: Performing the Post-Configuration Tasks for Oracle Access Management Domain

Starting the Administration Server Using the Node Manager

After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.

To start the Administration Server by using the Node Manager:

Start the WebLogic Scripting Tool (WLST):

cd ORACLE_COMMON_HOME/common/bin
./wlst.sh

Connect to Node Manager by using the Node Manager credentials:
```
wls:/offline>nmConnect('nodemanager_username','nodemanager_password',
            'ADMINVHN','5556','domain_name',
            'IAD_ASERVER_HOME')
```
Note:

This user name and password are used only to authenticate connections between Node Manager and clients. They are independent of the server administrator ID and password and are stored in the nm_password.properties file located in the following directory:
```
IAD_ASERVER_HOME/config/nodemanager
```
Start the Administration Server:
```
nmStart('AdminServer')
```
Note:

When you start the Administration Server, it attempts to connect to Oracle Web Services Manager for WebServices policies. It is expected that the WSM-PM Managed Servers are not yet started, and so, the following message appears in the Administration Server log:
```
<Warning><oracle.wsm.resources.policymanager>
<WSM-02141><Unable to connect to the policy access service due to Oracle WSM policy manager host server being down.>
```
Exit WLST:
```
exit()
```

Parent topic: Configuring the Domain Directories and Starting the Servers

Validating the Administration Server

Before proceeding with the configuration steps, validate that the Administration Server has started successfully by making sure you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, which both are installed and configured on the Administration Servers.

To navigate to Fusion Middleware Control, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:

http://adminvhn:7001/em

To navigate to the Oracle WebLogic Server Administration Console, enter the following URL, and log in with the same administration credentials:

http://adminvhn:7001/console

Parent topic: Configuring the Domain Directories and Starting the Servers

Creating a Separate Domain Directory for Managed Servers

When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory will be used to run the Administration Server. You can now create a copy of the domain on the local storage for each of your managed server hosts. The domain directory on the local (or private) storage will be used to run the Managed Servers.

Note:

If you are creating a domain for Oracle Access Management, it is not necessary to perform this step at this time. This is because, at the time of infrastructure creation, there are no managed servers in existence yet.

Placing the IAD_MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead cause by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that Managed Servers use from the domain directory is processed quicker.

As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the IAD_ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the IAD_MSERVER_HOME variable.

To create the Managed Server domain directory:

Sign in to the host running the Administration Server, for example, OAMHOST1, and run the pack command to create a template as follows:
```
cd ORACLE_COMMON_HOME/common/bin
 
./pack.sh -managed=true \ 
          -domain=IAD_ASERVER_HOME \ 
          -template=/full_path/edgdomaintemplate.jar \ 
          -template_name=edg_domain_template \
	  -log_priority=DEBUG \ 
          -log=/tmp/pack.log
```
In this example:
- Replace IAD_ASERVER_HOME with the actual path to the domain directory you created on the shared storage device.
- Replace full_path with the complete path to the location where you want to create the domain template jar file. You will need to reference this location when you copy or unpack the domain template jar file. It is recommended to choose a shared volume other than ORACLE_HOME, or write to /tmp/ and copy the files manually between servers.
  
  You must specify a full path for the template jar file as part of the -template argument to the pack command:
```
SHARED_CONFIG_DIR/domains/template_filename.jar
```
- edgdomaintemplate.jar is a sample name for the jar file you are creating, which will contain the domain configuration files.
- edg_domain_template is the label assigned to the template data stored in the template file.
Make a note of the location of the edgdomaintemplate.jar file you just created with the pack command.

Tip:

For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.
If you haven't already, create the recommended directory structure for the Managed Server domain on the OAMHOST1 local storage device.

Use the examples in File System and Directory Variables Used in This Guide as a guide.
Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
```
cd ORACLE_COMMON_HOME/common/bin

./unpack.sh -domain=IAD_MSERVER_HOME \
            -overwrite_domain=true \
            -template=/full_path/edgdomaintemplate.jar \
	    -log_priority=DEBUG \
            -log=/tmp/unpack.log \
            -app_dir=APPLICATION_HOME
```
Note:

The -overwrite_domain option in the unpack command allows unpacking a managed server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the managed server domain directory, they must be restored after this unpack operation.

Additionally, to customize server startup parameters that apply to all servers in a domain, you can create a file called setUserOverridesLate.sh and configure it to, for example, add custom libraries to the WebLogic Server classpath, specify additional JAVA command line options for running the servers, or specify additional environment variables. Any customizations you add to this file are preserved during domain upgrade operations, and are carried over to remote servers when using the pack and unpack commands.

In this example:
- Replace IAD_MSERVER_HOME with the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain will be unpacked.
- Replace /full_path/edgdomaintemplate.jar with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack up the domain on the shared storage device.
- Replace APPLICATION_HOME with the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.
Tip:

For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.
Change directory to the newly created Managed Server directory and verify that the domain configuration files were copied to the correct location on the OAMHOST1 local storage device.

Parent topic: Configuring the Domain Directories and Starting the Servers

Starting the Node Manager in the Managed Server Domain Directory on OAMHOST1

After you create the Managed Server domain directory, there are two domain home directories and two corresponding Node Manager instances on OAMHOST1. You use one Node Manager to control the Administration Server, running from Administration Server domain home, and you use the other Node Manager to control the Managed Servers, running from the Managed Server domain home.

You must start the two Node Managers independently.

Note:

The Node Manager for the Managed Server's IAD_MSERVER_HOME will be reset every time the domain configuration is unpacked. The ListenAddress will be changed to the ADMINVHN instead of the correct hostname. This needs to be changed to the correct value before starting the Node Manager service after an unpack is performed.

Follow these steps to update and start the Node Manager from the Managed Server home:

Verify that the listen address in the nodemanager.properties file is set correctly, by completing the following steps:
1. Change to the following directory:
  IAD_MSERVER_HOME/nodemanager/
2. Open the nodemanager.properties file for editing.
3. Update the ListenAddress property to the correct hostname as follows:
```
OAMHOST1: ListenAddress=OAMHOST1
```
4. Update the ListenPort property with the correct Listen Port details.
5. Make sure that QuitEnabled is set to ‘true’. If this line is not present in the nodemanager.properties file, add the following line:
```
QuitEnabled=true
```
Change to the following directory:
IAD_MSERVER_HOME/bin

Use the following command to start the Node Manager:

nohup ./startNodeManager.sh > IAD_MSERVER_HOME/nodemanager/nodemanager.out 2>&1 &

For information about additional Node Manager configuration options, see Administering Node Manager for Oracle WebLogic Server.

Parent topic: Configuring the Domain Directories and Starting the Servers

Propagating the Domain and Starting the Node Manager on OAMHOST2

After you start and validate the Administration Server and WLS_WSM1 Managed Server on OAMHOST1, you can then perform the following tasks on OAMHOST2..

Parent topic: Creating Infrastructure for Oracle Access Management

Unpacking the Domain Configuration on OAMHOST2

Now that you have the Administration Server and the first WLS_WSM1 Managed Server running on OAMHOST1, you can configure the domain on OAMHOST2.

Log in to OAMHOST2.
If you haven't already, create the recommended directory structure for the Managed Server domain on the OAMHOST2 storage device.

Use the examples in File System and Directory Variables Used in This Guide as a guide.
Make sure the oimdomaintemplate.jar accessible to OAMHOST2.
For example, if you are using a separate shared storage volume or partition for OAMHOST2, then copy the template to the volume or partition mounted to OAMHOST2.
Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
```
cd ORACLE_COMMON_HOME/common/bin

./unpack.sh -domain=IAD_MSERVER_HOME
            -overwrite_domain=true
            -template=/full_path/create_domain.jar 
            -log_priority=DEBUG
            -log=/tmp/unpack.log
            -app_dir=APPLICATION_HOME
```
In this example:
- Replace IAD_MSERVER_HOME with the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain will be unpacked.
- Replace full_path with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack up the domain on the shared storage device.
- Replace APPLICATION_HOME with the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.
Tip:

For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.
Change directory to the newly created IAD_MSERVER_HOME directory and verify that the domain configuration files were copied to the correct location on the OAMHOST2 local storage device.

Parent topic: Propagating the Domain and Starting the Node Manager on OAMHOST2

Starting the Node Manager in the Managed Server Domain Directory on OAMHOST2

Follow these steps to update and start the Node Manager from the Managed Server home:

Verify that the listen address in the nodemanager.properties file is set correctly, by completing the following steps:
1. Change directory to the IAD_MSERVER_HOME binary directory:
```
cd IAD_MSERVER_HOME/nodemanager
```
2. Open the nodemanager.properties file for editing.
3. Validate the ListenAddress property to the correct hostname as follows:
```
OAMHOST2: ListenAddress=OAMHOST2
```
4. Update the ListenPort property with the correct Listen Port details.
5. Make sure that QuitEnabled is set to ‘true’. If this line is not present in the nodemanager.properties file, add the following line:
```
QuitEnabled=true
```
Change directory to the IAD_MSERVER_HOME binary directory:
```
cd IAD_MSERVER_HOME/bin
```

Use the following command to start the Node Manager:

nohup ./startNodeManager.sh > $IAD_MSERVER_HOME/nodemanager/nodemanager.out 2>&1 &

For information about additional Node Manager configuration options, see Administering Node Manager for Oracle WebLogic Server.

Parent topic: Propagating the Domain and Starting the Node Manager on OAMHOST2

Removing OAM Server from WebLogic Server 12c defaultCoherenceCluster

You must exclude all Oracle Access Management (OAM) clusters (including policy manager and OAM runtime server) from the default WebLogic Server 12c coherence cluster using the WebLogic Server Administration Console.

From 12.2.1.3.0 onwards, OAM server-side session management uses database and does not require coherence cluster to be established. In some environments, warnings and errors are observed due to default coherence cluster initialized by WebLogic. To avoid or fix these errors, exclude all of the OAM clusters from default WebLogic Server coherence cluster using the following steps:

Log in to the WebLogic Server Administration Console, using the URL:
http://IADADMINVHN.example.com:7001/console
In the left pane of the console, expand Environment and select Coherence Clusters.
The Summary of Coherence Clusters page displays the Coherence cluster configurations that have been created in this domain.
Click defaultCoherenceCluster and select the Members tab.
Click Lock and Edit.
From Servers and Clusters, deselect all OAM clusters (including policy manager and OAM runtime server).
Click Save.
Click Activate changes.

Parent topic: Creating Infrastructure for Oracle Access Management

Adding a Load Balancer Certificate to JDK Trust Stores

Some IAM Products require that the SSL certificate used by the load balancer be added to the trusted certificates in the JDK. To add the certificate, do the following:

Create a directory to hold user created keystores and certificates. For example:
mkdir SHARED_CONFIG_DIR/keystores
Obtain the certificate from the load balancer. You can obtain the load balancer certificate from using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:
```
openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/LOADBALANCER.pem 
```
For example:
```
openssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/login.example.com.pem
```
Note:
This command saves the certificate to a file called login.example.com.pem in SHARED_CONFIG_DIR/keystores.
Load the certificate into the JDK and Node Manager Trust Stores by running the following command to import the CA certificate file, login.example.com.pem, into the JAVA_HOME.
Set JAVA_HOME to JAVA_HOME
Set PATH to include JAVA_HOME/bin.

Execute the following command to import the certificate into the Java trust store.

keytool -importcert -alias login.example.com -file SHARED_CONFIG_DIR/keystores/login.example.com.pem -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts

Enter a password for the keystore. The default password for the JDK is changeit. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You will be prompted to confirm that the certificate is valid.

Parent topic: Creating Infrastructure for Oracle Access Management

Tuning the oamDS Data Source

For optimium performance, increase the number of connections allowed by the OAM data source.

To tune oamDS, complete the following steps:

http://IADADMINVHN.example.com:7001/console

Click Lock & Edit.
In Domain Structure, expand Services, and then click Data Sources.
Click oamDS.
In Settings for oamDS, click the Configuration tab, and then the Connection Pool tab. Change the values for the following:
- Initial Capacity to 800
- Maximum Capacity to 800
- Minimum Capacity to 800
Click Save.
Click Activate Changes.

Parent topic: Creating Infrastructure for Oracle Access Management

Enabling Virtualization

Use the Fusion Middleware Control to enable virtualization.

To enable virtualization:

Log in to Oracle Fusion Middleware console using the URL:
http://IADADMINVHN.example.com:7001/em
Click WebLogic Domain > Security > Security Provider Configuration.
Expand Security Store Provider.
Expand Identity Store Provider.
Click Configure.
Add a custom property.
Select property “virtualize” with value “true” and click OK.
Click OK again to persist the change.

For more information about the virtualize property, see OPSS System and Configuration Properties in Securing Applications with Oracle Platform Security Services.

Parent topic: Creating Infrastructure for Oracle Access Management

Configuring the WebLogic Proxy Plug-In

Before you can validate that requests are routed correctly through the Oracle HTTP Server instances, you must set the WebLogic Plug-In Enabled parameter. It is recommended to set the WebLogic Plug-In Enabled parameter at the domain level. Any clusters or servers not using the plugin via the web-tier can have their WebLogic Plug-In Enabled parameter value set to no on an exception basis as needed.

Log in to the Oracle WebLogic Server Administration Console.
In the Domain Structure pane, click on the top-level domain node.
Click Lock & Edit in the Change Center.
Click on the Domain Name.
Click on the Web Applications tab.
Locate and select the WebLogic PlugIn Enabled option.
Click Save.
Click Activate Changes in the Change Center.
Restart the Administration Server.

Parent topic: Creating Infrastructure for Oracle Access Management