Table of Contents
- Title and Copyright Information
- Preface
-
Part I Understanding an Enterprise Deployment
- 1 Enterprise Deployment Overview
-
2
About a Typical Enterprise Deployment
- Diagram of a Typical Enterprise Deployment
-
About the Typical Enterprise Deployment Topology Diagram
- Understanding the Firewalls and Zones of a Typical Enterprise Deployment
- About the Elements of a Typical Enterprise Deployment Topology
- Receiving Requests Through Hardware Load Balancer
- About Web Tier
-
About the Application Tier
- Configuration of the Administration Server and Managed Servers Domain Directories
- Using Oracle Web Services Manager in the Application Tier
- Best Practices and Variations on the Configuration of the Clusters and Hosts on the Application Tier
- About the Node Manager Configuration in a Typical Enterprise Deployment
- About Using Unicast for Communications within the Application Tier
- About OPSS and Requests to the Authentication and Authorization Stores
- About the Data Tier
-
3
About the IAM Enterprise Deployment
- About the Primary and Build-Your-Own Enterprise Deployment Topologies
- Diagram of Oracle Identity and Access Management on Distributed Hardware
- About the Primary Oracle Identity and Access Management Topology Diagrams
- About the Forgotten Password Functionality
- Integrating Oracle LDAP, Oracle Access Manager, and Oracle Identity Governance
- Roadmap for Implementing the Primary IAM Suite Topologies
- Building Your Own Oracle Identity and Access Management Topology
- About Using Service or Server Migration to Enable High Availability of the Enterprise Topology
-
4
About a Multi-Data Center Deployment
- About the Oracle Identity and Access Management Multi-Data Center Deployment
- Administering Oracle Identity and Access Management Multi-Data Center Deployment
-
About the Requirements for Multi-Data Center Deployment
- About the Multi-Data Center Deployment Topology
- About the Entry Points in Multi-Data Center Deployment
- About the Databases in Multi-Data Center Deployment
- About the Directory Tier in Multi-Data Center Deployment
- About the Load Balancers in Multi-Data Center Deployment
- Shared Storage Versus Database for Transaction Logs and Persistent stores
- About the Characteristics of a Multi-Data Center Deployment
-
Part II Preparing for an Enterprise Deployment
-
5
Using the Enterprise Deployment Workbook
- Introduction to the Enterprise Deployment Workbook
- Typical Use Case for Using the Workbook
- Who Should Use the Enterprise Deployment Workbook?
- Using the Oracle Identity and Access Management Enterprise Deployment Workbook
-
6
Procuring Resources for an Enterprise Deployment
- Hardware and Software Requirements for the Enterprise Deployment Topology
- Reserving the Required IP Addresses for an Enterprise Deployment
- Identifying and Obtaining Software Distributions for an Enterprise Deployment
-
7
Preparing the Load Balancer and Firewalls for an Enterprise Deployment
-
Configuring Virtual Hosts on the Hardware Load Balancer
- Overview of the Hardware Load Balancer Configuration
- Typical Procedure for Configuring the Hardware Load Balancer
- Load Balancer Health Monitoring
- Summary of the Virtual Servers Required for an Enterprise Deployment
- Summary of the Virtual Servers Required for an Oracle Identity and Access Management Deployment
- Configuring Global Load Balancers
- Configuring the Firewalls and Ports for an Enterprise Deployment
-
Configuring Virtual Hosts on the Hardware Load Balancer
-
8
Preparing the File System for an Enterprise Deployment
- Overview of Preparing the File System for an Enterprise Deployment
- Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment
- About the Recommended Directory Structure for an Enterprise Deployment
- File System and Directory Variables Used in This Guide
- About Creating and Mounting the Directories for an Enterprise Deployment
- Summary of the Shared Storage Volumes in an Enterprise Deployment
- 9 Preparing the Operating System for an Oracle Identity and Access Management Deployment
-
10
Preparing the Host Computers for an Enterprise Deployment
- Verifying the Minimum Hardware Requirements for Each Host
- Verifying Linux Operating System Requirements
- Enabling Unicode Support
- Setting the DNS Settings
- Configuring Users and Groups
- Configuring a Host to Use an NTP (time) Server
- Configuring a Host to Use an NIS/YP Host
- Mounting the Required Shared File Systems on Each Host
- Enabling the Required Virtual IP Addresses on Each Host
- 11 Preparing the Database for an Enterprise Deployment
-
5
Using the Enterprise Deployment Workbook
-
Part III Configuring the Enterprise Deployment
-
12
Configuring Oracle LDAP for an Enterprise Deployment
- Configuring Oracle Unified Directory
- Configuring Oracle HTTP Server for Oracle Unified Directory Services Manager
- Preparing an Existing LDAP Directory
-
13
Creating Infrastructure for Oracle Access Management
- About the Initial Infrastructure Domain
- Variables Used When Creating Infrastructure for Oracle Access Management
- Installing the Oracle Fusion Middleware Infrastructure
- Installing Oracle Access Management for an Enterprise Deployment
- Configuring LDAP
- Creating the Database Schemas for Access Manager
- Configuring the Oracle Access Management Domain
-
Configuring the Domain Directories and Starting the Servers
- Starting the Node Manager in the Administration Server Domain Home
- Creating the boot.properties File
- Performing the Post-Configuration Tasks for Oracle Access Management Domain
- Starting the Administration Server Using the Node Manager
- Validating the Administration Server
- Creating a Separate Domain Directory for Managed Servers
- Starting the Node Manager in the Managed Server Domain Directory on OAMHOST1
- Propagating the Domain and Starting the Node Manager on OAMHOST2
- Removing OAM Server from WebLogic Server 12c defaultCoherenceCluster
- Adding a Load Balancer Certificate to JDK Trust Stores
- Tuning the oamDS Data Source
- Enabling Virtualization
- Configuring the WebLogic Proxy Plug-In
-
14
Creating Infrastructure for Oracle Identity Governance
- Synchronizing the System Clocks
- About the Initial Infrastructure Domain
- Variables Used When Creating the Infrastructure Domain
- Support for Dynamic Clusters in Infrastructure Domains
- Installing the Oracle Fusion Middleware Infrastructure on OIMHOST1
-
Installing Oracle Identity Governance for an Enterprise Deployment
- Starting the SOA Suite Installer on OIMHOST1
- Navigating the Oracle SOA Suite Installation Screens
- Starting the Oracle Identity and Access Management Installer
- Navigating the Oracle Identity and Access Management Installation Screens
- Verifying the Installation
- Downloading the Oracle Connector Bundle
- Installing the Oracle Identity Governance Connector
- Creating the Database Schemas for Oracle Identity Governance
- Configuring the Oracle Identity Governance Domain
- Performing Additional Domain Configuration Steps
- Creating Oracle Identity Manager Authenticator
-
Configuring the Domain Directories and Starting the Servers
- Starting the Node Manager in the Administration Server Domain Home
- Creating the boot.properties File
- Disabling the Derby Database
- Enabling the Managed Servers to use IPv6 Networking
- Setting the Memory Parameters in IAMGovernanceDomain
- Starting the Administration Server Using the Node Manager
- Validating the Administration Server
- Creating a Separate Domain Directory for Managed Servers
- Starting the Node Manager in the Managed Server Domain Directory on OIMHOST1
- Configuring Listen Addresses When Using Dynamic Clusters
- Starting and Validating the WLS_WSM1 Managed Server on OIMHOST1
- Configuring Listen Addresses When Using Dynamic Clusters
- Propagating the Domain and Starting the Servers on OIMHOST2
- Modifying the Upload and Stage Directories to an Absolute Path
- About the Supported Authentication Providers
- Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group
- Adding a Load Balancer Certificate to JDK Trust Stores for OIG
- Configuring the WebLogic Proxy Plug-In
- Backing Up the Configuration
- Verification of Manual Failover of the Administration Server
-
15
Configuring Oracle HTTP Server for an Enterprise Deployment
- Variables Used When Configuring the Oracle HTTP Server
- About the Oracle HTTP Server Domains
- Installing a Supported JDK
- Installing Oracle HTTP Server on WEBHOST1
- Creating an Oracle HTTP Server Domain on WEBHOST1
- Installing and Configuring an Oracle HTTP Server Domain on WEBHOST2
- Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2
- Backing Up the Configuration
-
Configuring Oracle HTTP Server to Route Requests to the Application Tier
- About the Oracle HTTP Server Configuration for an Enterprise Deployment
- Modifying the httpd.conf File to Include Virtual Host Configuration Files
- Modifying the httpd.conf File to Set Server Runtime Parameters
- Creating the Virtual Host Configuration Files
- Configuring Routing to the Administration Server and Oracle Web Services Manager
- Configuring Oracle HTTP Server for Oracle Access Manager Managed Servers
- Configuring Oracle HTTP Server for Oracle Identity Governance Managed Servers
- Validating the Virtual Server Configuration and Access to the Consoles
- Restarting the OHS Instances on OHSHOST1 and OHSHOST2
- Sample Virtual Host Files
-
16
Configuring Oracle Access Management
- Variables Used in This Chapter
- Configuring and Integrating with LDAP
- Updating WebGate Agents
- Updating Host Identifiers
- Adding Missing Policies to OAM
- Updating Federation Service Details
- Updating Idle Timeout Value
- Validating the Authentication Providers
- Configuring Oracle ADF and OPSS Security with Oracle Access Manager
- Starting the Managed Servers in the Domain
- Validating Access Manager
-
Enabling Forgotten Password
- Prerequisites for Enabling Forgotten Password
- Add Permissions to oamLDAP user
- Create an OTP Administrative Group in LDAP
- Enabling Adaptive Authentication Service
- Configuring Adaptive Authentication Plug-in
- Enabling Password Management in the Directory
- Storing User Messaging Credentials in CSF
- Setup for Forgot Password Link on Login Page
- Restarting the domain
- Validating the Forgotten Password Functionality
- Backing Up the Configuration
-
17
Configuring Oracle Identity Governance
- Variables Used When Configuring Oracle Identity Governance
- Starting and Validating the Oracle Identity Governance Managed Servers
- Analyzing the Bootstrap Report
- Validating the Fusion Middleware Control Application
- Configuring the Web Tier for the Domain
- Managing the Notification Service
- Configuring the Messaging Drivers
- Increasing Database Connection Pool Size
- Forcing Oracle Identity Governance to use Correct Multicast Address
- Integrating Oracle Identity Governance with LDAP
- Integrating Oracle Identity Governance and Oracle Access Manager
- Running the Reconciliation Jobs
- Update the SOA Integration URL
- Configuring OIM Workflow Notifications to be Sent by Email
- Adding the wsm-pm Role to the Administrators Group
- Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service
- Restarting the IAMGovernanceDomain
- Setting Challenge Questions
-
Integrating Oracle Identity Manager with Oracle Business Intelligence Publisher
- Creating a User to Run BI Reports
- Configuring Oracle Identity Manager to Use BI Publisher
- Assigning the BIServiceAdministrator Role to idm_report
- Storing the BI Credentials in Oracle Identity Governance
- Creating OIM and BPEL Data Sources in BIP
- Deploying Oracle Identity Governance Reports to BI
- Enable Certification Reports
- Validating the Reports
-
18
Configuring Multi-Data Center
- Variables Used When Configuring Multi-Data Center
- Roadmap for Configuring Multi-Data Center Deployment
- Procuring Resources for a Multi-Data Center Deployment
- Preparing the Load Balancer for a Multi-Data Center Deployment
- Preparing the File System for a Multi-Data Center Deployment
- Preparing the Host Computers for a Multi-Data Center Enterprise Deployment
- Preparing the Database for a Multi-Data Center Deployment
- Configuring Oracle LDAP for a Multi-Data Center Deployment
- Configuring the Web Tier for a Multi-Data Center Deployment
- Creating the Oracle Access Management Infrastructure for a Multi-Data Center Deployment
- Configuring Oracle Access Management for a Multi-Data Center Deployment
- Creating the Oracle Identity Governance Infrastructure for a Multi-Data Center Deployment
- Configuring Oracle Identity Governance for a Multi-Data Center Deployment
- Updating TAP Endpoint
- Enabling Multi-Data Center
-
12
Configuring Oracle LDAP for an Enterprise Deployment
-
Part IV Common Configuration and Management Procedures for an Enterprise Deployment
-
19
Common Configuration and Management Tasks for an Enterprise Deployment
-
Configuration and Management Tasks for All Enterprise Deployments
- Verifying Appropriate Sizing and Configuration for the WLSSchemaDataSource
- Verifying Manual Failover of the Administration Server
- Configuring Listen Addresses in Dynamic Cluster Server Templates
- Modifying the Upload and Stage Directories to an Absolute Path in an Enterprise Deployment
- Setting the Front End Host and Port for a WebLogic Cluster
-
Enabling SSL Communication Between the Middle Tier and the Hardware Load Balancer
- When is SSL Communication Between the Middle Tier and Load Balancer Necessary?
- Generating Self-Signed Certificates Using the utils.CertGen Utility
- Creating an Identity Keystore Using the utils.ImportPrivateKey Utility
- Creating a Trust Keystore Using the Keytool Utility
- Importing the Load Balancer Certificate into the Truststore
- Adding the Updated Trust Store to the Oracle WebLogic Server Start Scripts
- Configuring WebLogic Servers to Use the Custom Keystores
-
Using Persistent Stores for TLOGs and JMS in an Enterprise Deployment
- Products and Components that use JMS Persistence Stores and TLOGs
- JDBC Persistent Stores vs. File Persistent Stores
-
Using JDBC Persistent Stores for TLOGs and JMS in an Enterprise Deployment
- Recommendations for TLOGs and JMS Datasource Consolidation
- Roadmap for Configuring a JDBC Persistent Store for TLOGs
- Roadmap for Configuring a JDBC Persistent Store for JMS
- Creating a User and Tablespace for TLOGs
- Creating a User and Tablespace for JMS
- Creating GridLink Data Sources for TLOGs and JMS Stores
- Assigning the TLOGs JDBC Store to the Managed Servers
- Creating a JDBC JMS Store
- Assigning the JMS JDBC store to the JMS Servers
- Creating the Required Tables for the JMS JDBC Store
- Using File Persistent Stores for TLOGs and JMS in an Enterprise Deployment
- About JDBC Persistent Stores for Web Services
- Performing Backups and Recoveries for an Enterprise Deployment
- Configuration and Management Tasks for an Oracle Identity and Access Management Enterprise Deployment
- Considerations for Cross-Component Wiring
- Starting and Stopping Servers in Dynamic Clusters
- Expanding or Reducing Dynamic Clusters
-
Configuration and Management Tasks for All Enterprise Deployments
-
20
Using Whole Server Migration and Service Migration in an Enterprise Deployment
- About Whole Server Migration and Automatic Service Migration in an Enterprise Deployment
- Creating a GridLink Data Source for Leasing
- Configuring Whole Server Migration for an Enterprise Deployment
-
Configuring Automatic Service Migration in an Enterprise Deployment
- Setting the Leasing Mechanism and Data Source for an Enterprise Deployment Cluster
-
Configuring Automatic Service Migration for Static Clusters
- Changing the Migration Settings for the Managed Servers in the Cluster
- About Selecting a Service Migration Policy
- Setting the Service Migration Policy for Each Managed Server in the Cluster
- Validating Automatic Service Migration in Static Clusters
- Failing Back Services After Automatic Service Migration
- Configuring Automatic Service Migration for Dynamic Clusters
- 21 Scaling Procedures for an Enterprise Deployment
-
22
Configuring Single Sign-On for an Enterprise Deployment
- About Oracle Webgate
- General Prerequisites for Configuring Oracle HTTP Server WebGate
- Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment
- Enabling OAM Rest OAP Calls
- Adding a Load Balancer Certificate to WebGate
- Copying WebGates Artifacts to Web Tier
- Restarting the Oracle HTTP Server Instance
- Setting Up the WebLogic Server Authentication Providers
- Configuring Oracle ADF and OPSS Security with Oracle Access Manager
-
23
Sanity Checks
-
Sanity Checks for Oracle Access Management
- Verifying LDAP Authentication for OAM Agent Protected Application for Valid User
- Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Password
- Verifying LDAP Authentication Failure for OAM Agent Protected Application for Invalid Username
- Verifying Access of OAM Agent Protected Unavailable Resource
- Verifying Access of Resource that was Recently Deleted or Replaced from the Policy
-
Sanity Checks for Oracle Identity Governance
- Creating Organization
- Creating a User Name
- Creating Role
- Managing Sandboxes
- Publishing a Sandbox
- Adding User Defined Field (UDF) for a User
- Creating a Disconnected Application and Provision
- Importing and Configuring DB User Management
- Creating an Access Policy and Provision
- Creating End User Request for Accounts, Entitlements, and Roles
- Resetting Account Password
- Creating a Certification and Approving
- Creating Identity Audit Scan Definitions and Viewing its Results
- Testing Identity Audit
-
Sanity Checks for Oracle Access Management
-
24
Troubleshooting
- Troubleshooting IDMLCM Start/Stop Scripts
-
Troubleshooting Oracle Access Management Access Manager
- Access Manager Runs out of Memory
- User Reaches the Maximum Allowed Number of Sessions
- Policies Do Not Get Created When Oracle Access Management Access Manager is First Installed
- You Are Not Prompted for Credentials After Accessing a Protected Resource
- Cannot Log In to Access Management Console
- Oracle Coherence Cluster Startup Errors in WLS_AMA Server Logs
- Errors in log File when Starting OAM Servers
- Too Many Redirects Error in Browser
-
Troubleshooting Oracle Identity Governance
- OIM Bootstrap Process Fails
- java.io.FileNotFoundException When Running Oracle Identity Governance Configuration
- ResourceConnectionValidationxception When Creating User in Oracle Identity Governance
- Oracle Identity Manager Reconciliation Jobs Fail
- OIM Reconciliation Jobs Fail When Running Against Oracle Unified Directory
- Cannot Open Reports from OIM Self Service Console
- Pending Violations Not Displaying the Correct List
- Troubleshooting Oracle SOA Suite
- Troubleshooting Integration OIGOAMIntegration.sh-configureLDAPConnector
- General Troubleshooting
-
19
Common Configuration and Management Tasks for an Enterprise Deployment