1. Installing and Configuring Oracle Identity and Access Management
  2. Installing and Configuring the Oracle Access Management Software

3 Installing and Configuring the Oracle Access Management Software

Follow the steps in this section to install and configure the Oracle Access Management software.

Installing the Oracle Access Management Software

Follow the steps in this section to install the Oracle Access Management software.
Before beginning the installation, ensure that you have verified the prerequisites and completed all steps covered in Preparing to Install and Configure.

Note:

If you are using both Oracle Access Management and Oracle Identity Governance then you must install them in separate ORACLE_HOMEs.

The only supported method of installation for Oracle Access Management 14c (14.1.2.1.0) is the traditional method, where you individually install Oracle Fusion Middleware Infrastructure and then install Oracle Access Management.

Dependant Software for Oracle Access Management:

  • Oracle Fusion Middleware Infrastructure 14c (14.1.2.0.0)

For information about installing Oracle Fusion Middleware Infrastructure 14c (14.1.2.0.0), see Installing the Infrastructure Software in Installing and Configuring the Oracle Fusion Middleware Infrastructure.

For information about supported installation methods, see About Supported Installation Methods.

Parent topic: Installing and Configuring the Oracle Access Management Software

Verifying the Installation and Configuration Checklist

The installation and configuration process requires specific information.

Table 3-1 lists important items that you must know before, or decide during, Oracle Access Management installation and configuration.

Note:

This installation requires a minimum of 32GB memory and 2 core CPU machine.

Table 3-1 Installation and Configuration Checklist

Information Example Value Description

JAVA_HOME

/home/Oracle/Java/jdk17.0.12

Environment variable that points to the Java JDK home directory.

Database host

examplehost.exampledomain

Name and domain of the host where the database is running.

Database port

1521

Port number that the database listens on. The default Oracle database listen port is 1521.

Database service name

orcl.exampledomain

Oracle databases require a unique service name. The default service name is orcl.

DBA username

SYS

Name of user with database administration privileges. The default DBA user on Oracle databases is SYS.

DBA password

password

Password of the user with database administration privileges.

ORACLE_HOME

/home/Oracle/product/ORACLE_HOME

Directory in which you will install your software.

This directory will include Oracle Fusion Middleware Infrastructure and Oracle Access Management, as needed.

WebLogic Server hostname

examplehost.exampledomain

Host name for Oracle WebLogic Server and Oracle Access Management consoles.

Console port

7001

Port for Oracle WebLogic Server and Oracle Access Management consoles.

DOMAIN_HOME

/home/Oracle/config/domains/idm_domain

Location in which your domain data is stored.

APPLICATION_HOME

/home/Oracle/config/applications/idm_domain

Location in which your application data is stored.

Administrator user name for your WebLogic domain

weblogic

Name of the user with Oracle WebLogic Server administration privileges. The default administrator user is weblogic.

Administrator user password

password

Password of the user with Oracle WebLogic Server administration privileges.

RCU

ORACLE_HOME/oracle_common/bin

Path to the Repository Creation Utility (RCU).

RCU schema prefix

oam

Prefix for names of database schemas used by Oracle Access Management.

RCU schema password

myRCUpw674

Password for the database schemas used by Oracle Access Management.

Configuration utility

ORACLE_HOME/oracle_common/common/bin

Path to the Configuration Wizard for domain creation and configuration.

Parent topic: Installing the Oracle Access Management Software

Starting the Installation Program

Before running the installation program, you must verify the JDK and prerequisite software is installed.

To start the installation program:

  1. Sign in to the host system.
  2. Change to the directory where you downloaded the installation program.
  3. You must have installed the Oracle Fusion Middleware Infrastructure 14c (14.1.2.0.0). For instructions, see Installing the Infrastructure Software in Installing and Configuring the Oracle Fusion Middleware Infrastructure.
  4. Start the installation program by running the java executable from the JDK directory.

    • On UNIX operating systems: /home/Oracle/Java/jdk17.0.12/bin/java -jar fmw_14.1.2.1.0_idm.jar

    • On Windows: C:\home\Oracle\Java\jdk17.0.12\bin\java -jar fmw_14.1.2.1.0_idm.jar

Note:

You can also start the installer in silent mode using a saved response file instead of launching the installer screens. For more about silent or command line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.

When the installation program appears, you are ready to begin the installation.

Parent topic: Installing the Oracle Access Management Software

Navigating the Installation Screens

The installer shows a series of screens where you verify or enter information.

Table 4-4 lists the order in which installer screens appear. If you need additional help with an installation screen, click Help.

Table 3-2 Install Screens

Screen Description

Installation Inventory Setup

On Linux or Unix operating systems, this screen opens if this is the first time you are installing any Oracle product on this host. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location.

See About the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

This screen does not appear on Windows operating systems.

Welcome

Review the information to make sure that you have met all the prerequisites, then click Next.

Auto Updates

Select to skip automatic updates, select patches, or search for the latest software updates, including important security updates, through your My Oracle Support account.

Installation Location

Specify your Oracle home directory location.

This Oracle home must include Oracle Fusion Middleware Infrastructure 14c (14.1.2.0.0)

You can click View to verify and ensure that you are installing in the correct Oracle home.

Note:

Ensure that the Oracle Home path does not contain space.

Installation Type

Use the Collocated Installation Type.

Collocated mode is a type of installation that is managed through WebLogic Server. To install in collocated mode, you must have installed the required dependant softwares.

JDK Selection

Note: This screen appears for certain distributions only.

Use this screen to select the JDK to use for this installation.

Refer to the Oracle Fusion Middleware Supported System Configurations information on the Oracle Technology Network (OTN) to verify that the JDK you are using is supported.

Prerequisite Checks

This screen verifies that your system meets the minimum necessary requirements.

To view the list of tasks that gets verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).

Installation Summary

Use this screen to verify installation options you selected. If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.

Click Install to begin the installation.

Installation Progress

This screen shows the installation progress.

When the progress bar reaches 100% complete, click Finish to dismiss the installer, or click Next to see a summary.

Installation Complete

This screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.

Parent topic: Installing the Oracle Access Management Software

Verifying the Installation

After you complete the installation, verify whether it was successful by completing a series of tasks.

Parent topic: Installing the Oracle Access Management Software

Reviewing the Installation Log Files

Review the contents of the installation log files to make sure that the installer did not encounter any problems.

By default, the installer writes logs files to the Oracle_Inventory_Location/logs (on UNIX operating systems) or Oracle_Inventory_Location\logs (on Windows operating systems) directory.

For a description of the log files and where to find them, see Installation Log Files in Installing Software with the Oracle Universal Installer.

Checking the Directory Structure

The contents of your installation vary based on the options that you selected during the installation.

See What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Viewing the Contents of the Oracle Home

You can view the contents of the Oracle home directory by using the viewInventory script.

See Viewing the Contents of an Oracle Home in Installing Software with the Oracle Universal Installer.

Configuring the Oracle Access Management Domain

After you have installed Oracle Access Management, you can configure the domain, which you can also extend for high availability.

The configuration steps presented here assume that you have completed the installation steps covered in:

Refer to the following sections to create the database schemas, configure a WebLogic domain, and verify the configuration:

  • Creating the Database Schemas
    Before you can configure a domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware.
  • Configuring the Domain
    Use the Configuration Wizard to create and configure a domain.
  • Starting the Servers
    After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers.
  • Verifying the Configuration
    After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured.
  • Setting the Memory Parameters for OAM Domain (Optional)
    If the initial startup parameter in Oracle Access Management domain, which defines the memory usage, is insufficient, you can increase the value of this parameter.
  • Troubleshooting
    This section lists the common issues encountered while configuring Oracle Access Management and their workarounds.

Parent topic: Installing and Configuring the Oracle Access Management Software

Creating the Database Schemas

Before you can configure a domain, you must install required schemas on a certified database for use with this release of Oracle Fusion Middleware.

Note:

As of Oracle Fusion Middleware 14c (14.1.2.1.0), new schemas are created with editions-based redefinition (EBR) views enabled by default. Oracle Identity and Access Management schemas do not support EBR, therefore, in order to use the EBR functionality with your non-OAM schemas, you will have to run the RCU twice.

When EBR is enabled, the schema objects can be upgraded online to a future Fusion Middleware release without any downtime. For more information about using editions-based redefinition, see Using Edition-based Redefinition.

Parent topic: Configuring the Oracle Access Management Domain

Installing and Configuring a Certified Database

Before you create the database schemas, you must install and configure a certified database, and verify that the database is up and running.

Note:

For an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), you must modify the wallet settings and set the environment variables as described in Settings to connect to Autonomous Transaction Processing Database, and apply patches on ORACLE HOME as described in Applying Patches on ORACLE HOME.

See About Database Requirements for an Oracle Fusion Middleware Installation.

Starting the Repository Creation Utility

Start the Repository Creation Utility (RCU) after you verify that a certified JDK is installed on your system.

To start the RCU:

  1. Verify that a certified JDK already exists on your system by running java -version from the command line. For 14c (14.1.2.1.0), the certified JDK is 17.0.12 and later.
  2. Ensure that the JAVA_HOME environment variable is set to the location of the certified JDK.
  3. Change to the following directory:
    • (UNIX) ORACLE_HOME/oracle_common/bin
    • (Windows) ORACLE_HOME\oracle_common\bin
  4. Enter the following command:
    • (UNIX) ./rcu
    • (Windows) rcu.bat
Navigating the Repository Creation Utility Screens to Create Schemas

Enter required information in the RCU screens to create the database schemas.

Parent topic: Creating the Database Schemas

Introducing the RCU

The Welcome screen is the first screen that appears when you start the RCU.

Click Next.

Selecting a Method of Schema Creation

Use the Create Repository screen to select a method to create and load component schemas into the database.

On the Create Repository screen:

  • If you have the necessary permissions and privileges to perform DBA activities on your database, select System Load and Product Load. This procedure assumes that you have SYSDBA privileges.

  • If you do not have the necessary permissions or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates a SQL script that you can give to your database administrator. See About System Load and Product Load in Creating Schemas with the Repository Creation Utility.

  • If the DBA has already run the SQL script for System Load, select Perform Product Load.

    Note:

    For an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), you must create schemas as a Normal user, and though, you do not have full SYS or SYSDBA privileges on the database, you must select System Load and Product Load.

Providing Database Connection Details

On the Database Connection Details screen, provide the database connection details for the RCU to connect to your database.

Note: As of Oracle Fusion Middleware 14c (14.1.2.1.0), new schemas are created with editions-based redefinition (EBR) views enabled by default. Oracle Identity and Access Management schemas do not support EBR, therefore, in order to use the EBR functionality with your non-OAM schemas (such as SOA), you will have to run the RCU twice. The first time that RCU is run, select Oracle EBR Database for the non-OAM schemas. The second time you run RCU, select Oracle Database for your Oracle Identity and Access Management schemas.

To provide the database connection details:

  1. On the Database Connection Details screen, provide the database connection details. You have two options when creating schemas:
    • Creating schemas for components that support EBR (SOA)
    • Creating schemas for components that do not support EBR (OIM)

    For example, when you are creating schemas for components that support EBR:

    • Database Type: Oracle EBR Database
    • Connection String Format: Connection Parameters or Connection String
    • Connection String: examplehost.exampledomain.com:1521:Orcl.exampledomain.com
    • Host Name: examplehost.exampledomain.com
    • Port: 1521
    • Service Name: Orcl.exampledomain.com
    • Username: sys
    • Password: ******
    • Role: SYSDBA

    When you are creating schemas for components that do not support EBR, select Oracle Database as the Database Type.

  2. Click Next to proceed, then click OK in the dialog window that confirms a successful database connection.

For information about specifying connection credentials when connecting to an Oracle database, see Connection Credentials for Oracle Databases and Oracle Databases with Edition-Based Redefinition.

Specifying a Custom Prefix and Selecting Schemas

Select Create new prefix, specify a custom prefix, then expand IDM Schemas and select the Oracle Access Manager schema. This action automatically selects the following schemas as dependencies:

  • Common Infrastructure Services (STB)

  • Oracle Platform Security Services (OPSS)

  • Audit Services (IAU)

  • Audit Services Append (IAU_Append)

  • Audit Services Viewer (IAU_Viewer)

  • Metadata Services (MDS)

  • WebLogic Services (WLS)

The schema Common Infrastructure Services (STB) is automatically created. This schema is dimmed; you cannot select or deselect it. This schema enables you to retrieve information from RCU during domain configuration. For more information, see "Understanding the Service Table Schema" in Creating Schemas with the Repository Creation Utility.

Note:

You must invoke RCU twice. When you invoke RCU the first time select Database type as Oracle Database enabled for edition-based redefinition and load the EBR dependent components (STB, OPSS, IAU, IAU_Append, IAU_Viewer, MDS and WLS). When you invoke RCU the second time, select Database type as Oracle Database, provide the prefix used the first time, and select Oracle Access Manager only.

The custom prefix is used to logically group these schemas together for use in this domain only; you must create a unique set of schemas for each domain. Schema sharing across domains is not supported.

Tip:

For more information about custom prefixes, see "Understanding Custom Prefixes" in Creating Schemas with the Repository Creation Utility.

For more information about how to organize your schemas in a multi-domain environment, see "Planning Your Schema Creation" in Creating Schemas with the Repository Creation Utility.

Tip:

You must make a note of the custom prefix you choose to enter here; you will need this later on during the domain creation process.

Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Specifying Schema Passwords

On the Schema Passwords screen, specify how you want to set the schema passwords on your database, then enter and confirm your passwords.

Note:

For an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), the schema password must be minimum 12 characters, and must contain at least one uppercase, one lower case, and one number.

You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.

Click Next.

Completing Schema Creation

Navigate through the remaining RCU screens to complete schema creation.

On the Map Tablespaces screen, the Encrypt Tablespace check box appears only if you enabled Transparent Data Encryption (TDE) in the database (Oracle or Oracle EBR) when you start the RCU.

To complete schema creation:
  1. On the Map Tablespaces screen, select Encrypt Tablespace if you want to encrypt all new tablespaces that the RCU creates.
  2. In the Completion Summary screen, click Close to dismiss the RCU.

    For an Autonomous Transaction Processing Shared (ATP-S) database, in the Map Tablespaces screen you must override the default tablespaces and the temporary tablespaces, and also override the additional tablespaces, if applicable. See Map Tablespaces.

    If you encounter any issues when you create schemas on an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), see Troubleshooting Tips for Schema Creation on an Autonomous Transaction Processing Database in Creating Schemas with the Repository Creation Utility and Issues Related to Product Installation and Configuration on an Autonomous Database in Release Notes for Oracle Fusion Middleware Infrastructure.

Now you must invoke the RCU a second time. When you invoke RCU the first time selected Database type as Oracle Database enabled for edition-based redefinition and loaded the EBR-dependent components (STB, OPSS, IAU, IAU_Append, IAU_Viewer, MDS and WLS). Now you must invoke RCU the second time, select Database type as Oracle Database, provide the prefix used the first time, and select Oracle Access Manager only.

Configuring the Domain

Use the Configuration Wizard to create and configure a domain.

For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Parent topic: Configuring the Oracle Access Management Domain

Starting the Configuration Wizard

Start the Configuration Wizard to begin configuring a domain.

Note:

For an Autonomous Transaction Processing Shared (ATP-S) database, before you start the Configuration Wizard, you must set the TNS_ADMIN property using the following command:

export TNS_ADMIN=/<$ORACLE_HOME>/network/admin.

You must change $ORACLE_HOME to your Oracle Home location. For example: export TNS_ADMIN=/users/test/network/admin

Where, /users/test/ is the Oracle Home location.

To start the Configuration Wizard:

  1. Change to the following directory:

    (UNIX) ORACLE_HOME/oracle_common/common/bin

    (Windows) ORACLE_HOME\oracle_common\common\bin

    where ORACLE_HOME is your 14c (14.1.2.1.0) Oracle home.

  2. Enter the following command:

    (UNIX) ./config.sh

    (Windows) config.cmd

Parent topic: Configuring the Domain

Navigating the Configuration Wizard Screens to Create and Configure the Domain

Enter required information in the Configuration Wizard screens to create and configure the domain for the topology.

Note:

You can use this procedure to extend an existing domain. If your needs do not match the instructions in the procedure, be sure to make your selections accordingly, or see the supporting documentation for more details.

Parent topic: Configuring the Domain

Selecting the Domain Type and Domain Home Location

Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory.

Oracle recommends that you locate your Domain home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Domain home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or reinstall software.

Note:

Use different domain_homes for Oracle Access Management and Oracle Identity Governance.

To specify the Domain type and Domain home directory:

  1. On the Configuration Type screen, select Create a new domain.
  2. In the Domain Location field, specify your Domain home directory.

For more details about this screen, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Selecting the Configuration Templates for Oracle Access Management

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the template Oracle Access Management Suite - 14.1.2.1.0 [idm].

Selecting this template automatically selects the following as dependencies:

  • Oracle Enterprise Manager - 14.1.2.0.0 [em]

  • Oracle JRF - 14.1.2.0.0 [oracle_common]

  • WebLogic Coherence Cluster Extension - 14.1.2.0.0 [wlsserver]

Note:

The basic WebLogic domain is pre-selected.

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Selecting the Application Home Location

Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory.

Oracle recommends that you locate your Application home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware, where the Application home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or re-install your software.

For more about the Application home directory, see About the Application Home Directory.

For more information about this screen, see Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Configuring the Administrator Account

Use the Administrator Account screen to specify the username and password for the default WebLogic Administrator account for the domain.

Oracle recommends that you make a note of the username and password that you enter on this screen; you need these credentials later to boot and connect to the domain's Administration Server.

Specifying the Domain Mode and JDK

Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK) for your production environment.

On the Domain Mode and JDK screen:

  • Select Production in the Domain Mode field.

  • Disable secured mode for the domain by selecting the Disable Secure Mode check-box.

  • Select the Oracle HotSpot JDK in the JDK field.

For more information about this screen, see Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.
Specifying the Database Configuration Type

Use the Database Configuration type screen to specify details about the database and database schema.

On the Database Configuration type screen, select RCU Data. This option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.

Note:

If you select Manual Configuration on this screen, you must manually fill in parameters for your schema on the next screen.

For an Autonomous Transaction Processing database, (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), you must select only the RCU Data option.

After selecting RCU Data, specify details in the following fields:

Field Description

Host Name

Enter the name of the server hosting the database.

Example: examplehost.exampledomain.com

DBMS/Service

Enter the database DBMS name, or service name if you selected a service type driver.

Example: orcl.exampledomain.com

Port

Enter the port number on which the database listens.

Example: 1521

Schema Owner

Schema Password

Enter the username and password for connecting to the database's Service Table schema. This is the schema username and password entered for the Service Table component on the Schema Passwords screen in the RCU (see Specifying Schema Passwords).

The default username is prefix_STB, where prefix is the custom prefix that you defined in the RCU.

For an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format described in Connection Credentials for an Autonomous Transaction Processing Database.

Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation succeeded: 

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

For more information about the schema installed when the RCU is run, see About the Service Table Schema in Creating Schemas with the Repository Creation Utility.

See Database Configuration Type in Creating WebLogic Domains Using the Configuration Wizard .

Specifying JDBC Component Schema Information

Use the JDBC Component Schema screen to verify or specify details about the database schemas.

Verify that the values populated on the JDBC Component Schema screen are correct for all schemas. If you selected RCU Data on the previous screen, the schema table should already be populated appropriately. If you selected Manual configuration on the Database Configuration screen, you must configure the schemas listed in the table manually, before you proceed.

Note:

If you create schemas as a user with limited privileges and select RCU Data, you must manually replace the auto-populated values for Oracle Access Manager (OAM) and Oracle WebLogic Server only.

For Oracle WebLogic Server, ensure that you use the same schema prefix that you specified when you created schemas for components that support EBR and those that do not. For more information, see Creating Schemas for Oracle Access Manager As a User with Limited Database Privileges.

For an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing Shared (ATP-S)), specify the connection credentials using only the Connection URL String option, and enter the connect string in the following format: 

@TNS_alias?TNS_ADMIN=<path of the wallet files, ojdbc.properties, and tnsnames.ora>

In the connect string, you must pass TNS_alias as the database service name found in tnsnames.ora, and TNS_ADMIN property to the location of the wallet files, ojdbc.properties, and tnsnames.ora.

Example connect string for Autonomous Transaction Processing-Dedicated (ATP-D) database:

@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

Example connect string for Autonomous Transaction Processing Shared (ATP-S) database:

@dbname_tp?TNS_ADMIN=/users/test/wallet_dbname/

For high availability environments, see the following sections in High Availability Guide for additional information on configuring data sources for Oracle RAC databases:

See JDBC Component Schema in Creating WebLogic Domains Using the Configuration Wizard for more details about this screen.

Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.

By default, the schema password for each schema component is the password you specified while creating your schemas.

For more information about this screen, see JDBC Component Schema Test in Creating WebLogic Domains Using the Configuration Wizard.

Selecting Advanced Configuration

Use the Advanced Configuration screen to complete the domain configuration.

On the Advanced Configuration screen, select:

  • Administration Server

    Required to properly configure the listen address of the Administration Server.

  • Node Manager

    Required to configure Node Manager.

  • Topology

    Required to configure the Oracle Access Management Managed Server.

Optionally, select other available options as required for your desired installation environment. The steps in this guide describe a standard installation topology, but you may choose to follow a different path. If your installation requirements extend to additional options outside the scope of this guide, you may be presented with additional screens to configure those options. For information about all Configuration Wizard screens, see Configuration Wizard Screens in Creating WebLogic Domains Using the Configuration Wizard.

Configuring the Administration Server Listen Address

Use the Administration Server screen to select the Listen Address and configure the Administration Server ports.

Note:

The default port values will vary depening on how you conifigured your domain. The Enable SSL Listen Port is enabled by default, but the default values may change. For a list of default values, see Port Numbers by Product and Component.

  1. Provide a name for the Administration Server. The name field must not be null or empty and cannot contain any special characters.
  2. Select the drop-down list next to Listen Address and select the IP address of the host where the Administration Server will reside or use the system name or DNS name that maps to a single IP address. Do not use All Local Addresses.
  3. Verify the port settings. When the domain type is set to Production, then the Enable SSL Listen Port option is enabled by default. Do not specify any server groups for the Administration Server.

    Note:

    You can change the port values as needed, but they must be unique. If the same port numbers are used for different ports, you will not be able to navigate to the next step in the Configuration Wizard.

For more information, see Specifying the Listen Address in Creating WebLogic Domains Using the Configuration Wizard.

Configuring Node Manager

Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials.

Select Per Domain Default Location as the Node Manager type, then specify Node Manager credentials.

For more information about this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more information about Node Manager types, see About Node Manager in Administering Node Manager for Oracle WebLogic Server.

Configuring Managed Servers for Oracle Access Management

On the Managed Servers screen, the new Managed Servers named oam_server_1 and oam_policy_mgr1 are displayed:

  1. In the Listen Address drop-down list, select the IP address of the host on which the Managed Server will reside or use the system name or DNS name that maps to a single IP address. Do not use "All Local Addresses."
  2. In the Server Groups drop-down list, select the server group for your managed server. By default, OAM-MGD-SVRS is selected for oam_server1 and OAM-POLICY-MANAGED-SERVER is selected for oam_policy_mgr1.

    Server groups target Fusion Middleware applications and services to one or more servers by mapping defined application service groups to each defined server group. A given application service group may be mapped to multiple server groups if needed. Any application services that are mapped to a given server group are automatically targeted to all servers that are assigned to that group. For more information, see "Application Service Groups, Server Groups, and Application Service Mappings" in Domain Template Reference.

  3. Configuring a second Managed Server is one of the steps needed to configure the standard topology for high availability. If you are not creating a highly available environment, then this step is optional.
    Click Clone and repeat this process to create a second Managed Server named oam_policy_mgr2.

    Note:

    If you wish to configure additional Managed Servers, use the Clone option and add the Managed Server. For example, if we want to configure oam_server2, click Clone and select oam_server1 to clone this server. Do not use the add option to add a new Managed Server.

    Configuring a second Managed Server is one of the steps needed to configure the standard topology for high availability. If you are not creating a highly available environment, then this step is optional.

    For more information about the high availability standard topology, see "Understanding the Fusion Middleware Standard HA Topology" in High Availability Guide.

    For more information about the next steps to prepare for high availability after your domain is configured, see Preparing Your Environment for High Availability.

These server names and will be referenced throughout this document; if you choose different names be sure to replace them as needed.

Tip:

More information about the options on this screen can be found in Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.

Configuring a Cluster for Oracle Access Management

Use the Clusters screen to create a new cluster.

Note:

If you are configuring a non-clustered setup on a single node, skip this screen.

On the Clusters screen:

  1. Click Add.
  2. Specify oam_cluster_1 in the Cluster Name field for oam_server. For oam_policy_mgr server, you must create another cluster, for example, oam_policy_cluster.
  3. For the Cluster Address field, specify the ipaddress/hostname:port. For example:
    oam_server1_host_ip_address:oam_server1_portnumber
    oam_server2_host_ip_address:oam_server2_portnumber

By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, see Considerations for Choosing Unicast or Multicast in Administering Clusters for Oracle WebLogic Server.

You can also create clusters using Fusion Middleware Control. In this case, you can configure cluster communication (unicast or multicast) when you create the new cluster. See Create and configure clusters in Oracle WebLogic Server Administration Console Online Help.

For more information about this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Defining Server Templates

If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for the domain.

To add Server Templates:

Note:

The default port values will vary depening on how you conifigured your domain. The Enable SSL Listen Port is enabled by default, but the default values may change. For a list of default values, see Port Numbers by Product and Component.

  1. Click Add to create new_ServerTemplate_1. The server template name will increment automatically when an additional server template is added (new_ServerTemplate_2).
  2. For Secure Production Mode, verify that the Enable SSL Port option is selected. The default SSL Listen Port does not increment automatically when a new server template is added. You can change the default to Enable Listen Port, but Oracle recommends that retain the default to enable SSL. Enabling Listen Port disables SSL Listen Port.

    Note:

    You can change the port values as needed using an integer in the range of 1 and 65535, but they must be unique. If the same port numbers are used for different ports, you will receive a port conflict error and you will not be able to start the server.

  3. The Administration Port does not increment when an additional server template is added.

    Note:

    If the Listen ports are disabled, then instead of seeing a number you will see Disabled.

For steps to create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in High Availability Guide.

Configuring Dynamic Servers

You can skip this screen for Oracle Access Management configuration.

Click Next and proceed.
Assigning Oracle Access Management Managed Servers to the Cluster

If you are configuring a non-clustered setup, click Next and go to next screen. Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template.

For more information on configured cluster and dynamic cluster terms, see About Dynamic Clusters in Understanding Oracle WebLogic Server.

On the Assign Servers to Clusters screen:

  1. In the Clusters pane, select the cluster to which you want to assign the Managed Servers; in this case, oam_cluster_1.
  2. In the Servers pane, assign oam_server_1 to oam_cluster_1 by doing one of the following:

    • Click once on oam_server_1 to select it, then click the right arrow to move it beneath the selected cluster (oam_cluster_1) in the Clusters pane.

    • Double-click on oam_server_1 to move it beneath the selected cluster (oam_cluster_1) in the Clusters pane.

  3. Repeat to assign oam_policy_mgr1 to oam_policy_cluster.

For more information about this screen, see Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster.

Leave the default port number as the Coherence cluster listen port. After configuration, the Coherence cluster is automatically added to the domain.

Note:

Setting the unicast listen port to 0 creates an offset for the Managed Server port numbers. The offset is 5000, meaning the maximum allowed value that you can assign to a Managed Server port number is 60535, instead of 65535.

For Coherence licensing information, see Oracle Coherence Products in Licensing Information.

Creating a New Oracle Access Management Machine

Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers.

If you plan to create a high availability environment and know the list of machines your target topology requires, you can follow the instructions in this section to create all the machines at this time. For more about scale out steps, see Optional Scale Out Procedure in High Availability Guide.

To create a new Oracle Access Management machine so that Node Manager can start and stop servers:
  1. Select the Machine tab (for Windows) or the UNIX Machine tab (for UNIX), then click Add to create a new machine.
  2. In the Name field, specify a machine name, such as oam_machine_1.
  3. In the Node Manager Listen Address field, select the IP address of the machine in which the Managed Servers are being configured.

    You must select a specific interface and not localhost. This allows Coherence cluster addresses to be dynamically calculated.

  4. Verify the port in the Node Manager Listen Port field.
  5. Repeat these steps to add more machines, if required.

Note:

If you are extending an existing domain, you can assign servers to any existing machine. It is not necessary to create a new machine unless your situation requires it.

For more information about this screen, see Machines in Creating WebLogic Domains Using the Configuration Wizard.

Assigning Servers to Oracle Access Management Machines

Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created.

On the Assign Servers to Machines screen:

  1. In the Machines pane, select the machine to which you want to assign the servers; in this case, oam_machine_1.
  2. In the Servers pane, assign AdminServer to oam_machine_1 by doing one of the following:

    • Click once on AdminServer to select it, then click the right arrow to move it beneath the selected machine (oam_machine_1) in the Machines pane.

    • Double-click on AdminServer to move it beneath the selected machine (oam_machine_1) in the Machines pane.

  3. Repeat these steps to assign all Managed Servers to their respective machines.

For more information about this screen, see Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Virtual Targets

You can skip this screen for Oracle Access Management configuration.

Click Next and proceed.

Partitions

The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options.

For details about options on this screen, see Partitions in Creating WebLogic Domains Using the Configuration Wizard.

Configuring Domain Frontend Host

The Domain Frontend Host screen can be used to configure the frontend host for the domain.

Select Plain or SSL and specify the respective host value.

Click Next.

Targeting the Deployments

The Deployments Targeting screen can be used to target the available deployments to the servers.

Make the required modifications, and click Next.
Targeting the Services

The Services Targeting screen can be used to target the available services to the Servers.

Make necessary modifications, and click Next.
Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen shows detailed configuration information for the domain you are about to create.

Review each item on the screen and verify that the information is correct. To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.

For more details about options on this screen, see Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Writing Down Your Domain Home and Administration Server URL

The End of Configuration screen shows information about the domain you just configured.

Make a note of the following items because you need them later:

  • Domain Location

  • Administration Server URL

You need the domain location to access scripts that start Node Manager and Administration Server, and you need the URL to access the Administration Server.

Click Finish to dismiss the Configuration Wizard.

Updating the System Properties for SSL Enabled Servers

For SSL enabled servers, you must set the required properties in the setDomainEnv file in the domain home.

Locate the JAVA_OPTIONS section in the DOMAIN_HOME/bin/setDomainEnv.sh file (for UNIX) or DOMAIN_HOME\bin\setDomainEnv.cmd (for Windows), and add the following properties before you start the servers:

  • -Dweblogic.security.SSL.ignoreHostnameVerification=true

  • -Dweblogic.security.TrustKeyStore=DemoTrust

Parent topic: Configuring the Domain

Starting the Servers

After a successful configuration, start all processes and servers, including the Administration Server and any Managed Servers.

The components may be dependent on each other so they must be started in the correct order.

Note:

The procedures in this section describe how to start servers and processes using the WLST command-line utility or a script. You can also use the Oracle Fusion Middleware Control and the Oracle WebLogic Server Remote Console. See Starting and Stopping Administration and Managed Servers and Node Manager.

As of release 14c (14.1.2.0.0), the WebLogic Server Administration Console has been removed. For comparable functionality, you should use the WebLogic Remote Console. For more information, see Oracle WebLogic Remote Console.

To start your Fusion Middleware environment, follow the steps below.

Step 1: Start Node Manager

To start Node Manager, use the startNodeManager script:

  • (UNIX) DOMAIN_HOME/bin/startNodeManager.sh

  • (Windows) DOMAIN_HOME\bin\startNodeManager.cmd

Step 2: Start the Administration Server

Note:

Depending on your existing security settings, you may need to perform additional configuration before you can manage a domain with secured production mode enabled. For more information, see Connecting to the Administration Server using WebLogic Remote Console

.

To start the Administration Server, use the startWebLogic script:

  • (UNIX) DOMAIN_HOME/bin/startWebLogic.sh

  • (Windows) DOMAIN_HOME\bin\startWebLogic.cmd

When you created the domain, if you selected Production Mode on the Domain Mode and JDK screen, a prompt for the Administrator user login credentials is displayed. Provide the same credentials that you provided on the Administrator Account screen.

Note:

For an Autonomous Transaction Processing database (both Autonomous Transaction Processing-Dedicated (ATP-D) and Autonomous Transaction Processing-Dedicated (ATP-S)), a benign error message may be displayed in the Administration Server logs.

Example message:

<AdminServer> <[ACTIVE] ExecuteThread: '63' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> 
<16023522-e47f-40f4-a66f-7ea3729188d1-00000064> <1628079696204> 
<[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-240003> <Administration Console encountered the following error: 
java.lang.NoSuchMethodError: 
org.glassfish.jersey.internal.LocalizationMessages.WARNING_PROPERTIES()Ljava/l ang/String; at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationModel.getProperties(SystemPropertiesConfigurationModel.java:122) at
org.glassfish.jersey.internal.config.SystemPropertiesConfigurationProvider.getProperties(SystemPropertiesConfigurationProvider.java:29) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.readExternalPropertiesMap(ExternalPropertiesConfigurationFactory.java:55) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFactory.configure(ExternalPropertiesConfigurationFactory.java:72) at
org.glassfish.jersey.internal.config.ExternalPropertiesConfigurationFeature.configure(ExternalPropertiesConfigurationFeature.java:26) at
org.glassfish.jersey.model.internal.CommonConfig.configureFeatures(CommonConfig.java:730)

This error message does not have any functional impact and can be ignored.

Step 3: Start the Managed Servers

Note:

When using secured production mode, you must provide additional parameters to start the Managed Servers. See Starting Managed Servers using a Start Script in Administering Security for Oracle WebLogic Server.

To start a WebLogic Server Managed Server, use the startManagedWebLogic script: 

(UNIX) DOMAIN_HOME/bin/startManagedWebLogic.sh managed_server_name admin_url
(Windows) DOMAIN_HOME\bin\startManagedWebLogic.cmd managed_server_name admin_url

When prompted, enter your user name and password. This is the same user name and password which you provided in administrator account screen when creating the domain.

Parent topic: Configuring the Oracle Access Management Domain

Verifying the Configuration

After completing all configuration steps, you can perform additional steps to verify that your domain is properly configured.

You can start using the functionality of Oracle Access Management after you successfully configure it. See Getting Started with Oracle Access Management in Administering Oracle Access Management.

For information about integrating Oracle Access Management with other Identity Management components, see Introduction to IdM Suite Components Integration in Integration Guide for Oracle Identity Management Suite.

For more information about performing additional domain configuration tasks, see Performing Additional Domain Configuration Tasks.

Parent topic: Configuring the Oracle Access Management Domain

Setting the Memory Parameters for OAM Domain (Optional)

If the initial startup parameter in Oracle Access Management domain, which defines the memory usage, is insufficient, you can increase the value of this parameter.

To change the memory allocation setting, do the following:
  1. Edit the Domain_home/bin/setUserOverrides.sh file to add the following line:
    MEM_ARGS="-Xms1024m -Xmx3072m"
  2. Save and close the file.
  3. Change the following memory allocation by updating the Java maximum memory allocation pool (Xmx) to 3072m and initial memory allocation pool (Xms) to 1024m. For example, change the following line to be:
    WLS_MEM_ARGS_64BIT="-Xms1024m -Xmx3072m"
  4. Save and close the file.

Parent topic: Configuring the Oracle Access Management Domain

Troubleshooting

This section lists the common issues encountered while configuring Oracle Access Management and their workarounds.

Topics

Parent topic: Configuring the Oracle Access Management Domain

Authentication Policy Advance Rule Creation Not Working with JDK 21

After installing and configuring an Oracle Access Management domain in 14c (14.1.2.1.0), there is an error when attempting to create Authentication policy with Pre-Authentication rule when using JDK 21.

Issue:

When using the OAM console to apply authentication policies, the following error can be seen in the Admin server logs:

Caused by:
        java.lang.ExceptionInInitializerError: Exception java.lang.InternalError:
        java.lang.UnsatisfiedLinkError: Can't load library:
        /home/reaugust/.cache/org.graalvm.polyglot/engine/libtruffleattach/855be25834bb645ea86aa0d0e83e8f1d55c8d56bb5e7858a90f48bfcf638e541/bin/libtruffleattach.so
        [in thread "[ACTIVE] ExecuteThread: '39' for queue: 'weblogic.kernel.Default
        (self-tuning)'"]

Cause:

Fails to refresh Graalvm cache when starting Admin and managed servers.

Solution:

1. Stop the OAM Admin and managed server.

2. Delete graalvm cache "<user_home_directory>/.cache/org.graalvm.polyglot/".

3. Restart OAM admin and managed servers.

4. Reapply the authentication policies and save.

Parent topic: Troubleshooting

WADL Generation Does not Show Description

Issue

WADL generation fails and a java.lang.IllegalStateException: ServiceLocatorImpl is returned. 
Exception thrown when provider 
class org.glassfish.jersey.server.internal.monitoring.MonitoringFeature$StatisticsListener 
was processing MonitoringStatistics. Removing provider from further processing.
java.lang.IllegalStateException: ServiceLocatorImpl(__HK2_Generated_6,9,221656053) has been shut down 
at org.jvnet.hk2.internal.ServiceLocatorImpl.checkState(ServiceLocatorImpl.java:2393)
Also, when the WADL generation fails, the description field shows Root Resource, instead of a proper description in the following URLs.

http://<Host>:<AdminServerPort>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/application.wadl
http://<Host>:<ManagedServerPort>/iam/access/api/v1/health/application.wadl

Resolution

Restart the Admin server and managed servers to resolve the wadl issue.

Parent topic: Troubleshooting

MDS ReadOnlyStoreException in OAM Policy Manager Diagnostic log

After you configure Oracle Access Management 14c (14.1.2.1.0), when you start the servers, the following exception is seen in the Administration Server and OAM Policy Manager diagnostic logs: 

oracle.mds.exception.ReadOnlyStoreException: MDS-01273: 
The operation on the  resource /oracle/oam/ui/adfm/DataBindings.cpx 
failed because source metadata  store mapped to the namespace / DEFAULT 
is read only.

Parent topic: Troubleshooting

Ignorable Warnings in the Administration Server Logs

After you configure Oracle Access Management 14c (14.1.2.1.0), when you start the Administration Server, the following warning are seen in the Administration Server logs: 

<Warning> <oracle.adfinternal.view.faces.renderkit.rich.NavigationPaneRenderer> 
<adc2140146> <AdminServer> <[ACTIVE] ExecuteThread: '42' for queue: 
'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <b6ba191d-9c3f-44ce-ad9d-64bd7123baf5-000000e3> 
<1502889425767> <[severity-value: 16] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-000000> <Warning: There are no items to render for this level> 
####<Aug 16, 2017 6:17:06,241 AM PDT> <Warning> <org.apache.myfaces.trinidad.component.UIXFacesBeanImpl>

This has no impact on the functionality, and therefore you can ignore it.

After installing Oracle Access Management, go to Chapter 5: Next Steps After Configuring the Domain.

Parent topic: Troubleshooting