Using the idmConfigTool Command

C Using the idmConfigTool Command

The IdM configuration tool (idmConfigTool) performs a number of tasks to assist in installing, configuring, and integrating Oracle identity management (IdM) components. This appendix explains how to use the tool.

Note:

This appendix does not contain actual integration procedures; rather, it contains idmConfigTool command syntax and related details. Use this appendix as a reference whenever you are executing idmConfigTool as directed by your integration procedure or task.
Ensure that the LDAP server, as well as the admin servers hosting OAM, OIM are up before you run idmConfigTool

This appendix contains these sections:

C.1 About idmConfigTool

This section contains these topics:

C.1.1 What is idmConfigTool?

The idmConfigTool helps you to perform the following tasks efficiently:

To validate configuration properties representing the Identity Management components Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), Oracle Unified Directory (OUD), Oracle Access Manager (OAM) and Oracle Identity Governance (OIG).
To pre-configure the Identity Store components (OID, OVD, and OUD) to install the other Identity Management components, including OAM, OIG, and Oracle Access Management Mobile and Social.
To post-configure the OAM, OIG components and wiring of those components.
To extract the configuration of the Identity Management components OID, OVD, OUD, OAM, and OIG.

See Also:

idmConfigTool Command Syntax.

C.1.2 Components Supported by idmConfigTool

idmConfigTool supports these 11g components:

Oracle Internet Directory
Oracle Virtual Directory
Oracle Access Manager
Oracle Identity Management
Oracle Unified Directory (OUD)
Oracle Access Management Mobile and Social

C.1.3 When to Use idmConfigTool

Use idmConfigTool in these situations:

Prior to installing Oracle Identity Management and Oracle Access Manager
After installing Oracle Identity Management and Oracle Access Manager
After installing Oracle Access Management Mobile and Social
When dumping the configuration of IdM components Oracle Internet Directory, Oracle Unified Directory, Oracle Virtual Directory, Oracle Identity Management, and Oracle Access Manager
When validating the configuration parameters for Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Management, and Oracle Access Manager

What is idmConfigTool? explains the tasks the tool performs in each situation.

C.1.4 Location of idmConfigTool

The idmConfigTool is located at:

IAM_ORACLE_HOME/idmtools/bin

where IAM_ORACLE_HOME is the directory in which OIM and OAM are installed.

To execute idmConfigTool on Linux

cd <IAM_ORACLE_HOME>/idmtools/bin
./idmConfigTool.sh

To execute idmConfigTool on Windows

cd <IAM_ORACLE_HOME>\idmtools\bin
idmConfigTool.cmd

C.1.5 Webgate Types Supported by idmConfigTool

The idmConfigTool supports OAM 11g Webgates by default. It also supports 10g Webgates.

C.1.6 idmConfigTool in Single- and Cross-Domain Scenarios

The tool supports two types of scenarios with regard to Weblogic domains:

A single-domain configuration in which both Access Manager and Oracle Identity Management servers are configured in the same Weblogic domain
A dual or cross-domain configuration in which Access Manager and Oracle Identity Management servers are configured on separate Weblogic domains

C.2 Set Up Environment Variables for OIG-OAM Integration

You must configure the environment before running the 'idmConfigTool.

Set the following variables:

Table C-1 Environment Variables for OIGOAMIntegration script.

Variable Description

Variable	Description
`WL_HOME`	Not mandatory. It is set to `MW_HOME/wlserver_10.3` by default, and this setting is used. See `MW_HOME` for an example.
`JAVA_HOME`	This is the full path of the JDK directory. If running on IBM WebSphere, this variable must point to the IBM JDK. Set the value to the full path of the JDK. For example: `/WASSH/WebSphere/AppServer/java` Important: On IBM WebSphere, do not use a JDK other than the IBM JDK.
`ORACLE_HOME`	Set to the full path of the Oracle home. For IdM integrations, set to `IAM_ORACLE_HOME`.

WL_HOME

Not mandatory. It is set to MW_HOME/wlserver_10.3 by default, and this setting is used.

See MW_HOME for an example.

JAVA_HOME

This is the full path of the JDK directory.

If running on IBM WebSphere, this variable must point to the IBM JDK. Set the value to the full path of the JDK. For example:

/WASSH/WebSphere/AppServer/java

Important: On IBM WebSphere, do not use a JDK other than the IBM JDK.

ORACLE_HOME

Set to the full path of the Oracle home. For IdM integrations, set to IAM_ORACLE_HOME.

C.3 idmConfigTool Syntax and Usage

This section contains these topics:

C.3.1 idmConfigTool Command Syntax

The tool has the following syntax on Linux:

idmConfigTool.sh -command   input_file=filename log_file=logfileName log_level=log_level

The tool has the following syntax on Windows:

idmConfigTool.bat -command   input_file=filename log_file=logfileName log_level=log_level

Values for command are as follows:

Command	Component name	Description
`preConfigIDStore`	Identity Store	Configures the identity store and policy store by creating the groups and setting ACIs to the various containers.
`prepareIDStore mode=` `OAM` `OIM` `WLS WAS` `FUSION` `OAAM` `APM` `all`	Identity Store	Configures the identity store by adding necessary users and associating users with groups. Modes enable you to configure for a specific component. You can run this command on Oracle WebLogic Server (mode=WLS) or IBM WebSphere (mode=WAS).
`configPolicyStore`	Policy Store	Configures policy store by creating read-write user and associates them to the groups.
`configOAM`	Oracle Access Manager Oracle Identity Management	Prepares Access Manager for integration with Oracle Identity Governance.
`configOIM`	Oracle Access Manager Oracle Identity Management	Sets up wiring between Access Manager and Oracle Identity Governance.
`configOMSS`	Oracle Access Management Mobile and Social	Performs post-install configuration for Oracle Access Management Mobile and Social
`configOVD`	Oracle Virtual Directory	Creates OVD adapters.
`disableOVDAccessConfig`	Oracle Virtual Directory	Disables anonymous access to the OVD server. Post-upgrade command. Note: `configOVD` performs this task automatically when run.
`postProvConfig`	Identity Store	Performs post-provisioning configuration of the identity store.
`validate` `IDSTORE` `POLICYSTORE` `OAM11g` `OAM10g` `OIM`	Various	Validates the set of input properties for the named entity.
`ovdConfigUpgrade`	Oracle Virtual Directory	Updates the configuration for an upgraded OVD with split profile.
`upgradeLDAPUsersForSSO`	Oracle Identity Management Access Manager	Updates existing users in OID by adding certain object classes which are needed for Oracle Identity Management-Access Manager integration.
`upgradeOIMTo11gWebgate`	Oracle Identity Management Access Manager	Upgrades an existing configuration consisting of integrated Oracle Identity Management-Access Manager, using Webgate 10g, to use Webgate 11g

C.3.2 Requirements for Running idmConfigTool

You must run this tool as a user with administrative privileges when configuring the identity store or the policy store.

The validate command requires a component name.

Caution:

The commands cannot be run in isolation. Run them in the context of explicit integration procedures; use this appendix only as a command reference.

C.3.3 Files Generated by idmConfigTool

idmConfigTool creates or updates certain files upon execution.

Parameter File

When you run the idmConfigTool, the tool creates or appends to the file idmDomainConfig.param in the directory from which you run the tool. To ensure that the same file is appended to each time the tool is run, always run idmConfigTool from the directory:
```
IAM_ORACLE_HOME/idmtools/bin
```
Log File

You can specify a log file using the log_file attribute of idmConfigTool.

If you do not explicitly specify a log file, a file named automation.log is created in the directory where you run the tool.

Check the log file for any errors or warnings and correct them.

C.3.4 Using the Properties File for idmConfigTool

This section describes the properties file that can be used with idmConfigTool.

C.3.4.1 About the idmConfigTool properties File

A properties file provides a convenient way to specify command properties and enable you to save properties for reference and later use. You can specify a properties file, containing execution properties, as input command options. The properties file is a simple text file which must be available at the time the command is executed.

For security you are advised not to insert passwords into the properties file. The tool prompts you for the relevant passwords at execution.

C.3.4.2 List of idmConfigTool Properties

Table C-2 lists the properties used by integration command options in the idmConfigTool command. The properties are listed in alphabetical order.

WARNING:

For security, do not put password values in your properties files. idmConfigTool prompts for passwords upon execution.

Table C-2 Properties Used in IdMConfigtool properties Files

Parameter	Example Value	Description
`ACCESS_GATE_ID`	`IdentityManagerAccessGate`	The Access Manager access gate ID with which Oracle Identity Management needs to communicate.
`ACCESS_SERVER_HOST`	`mynode.us.example.com`	Access Manager Access Server host name
`ACCESS_SERVER_PORT`	`5575`	Access Manager NAP port.
`APNS_FILE`	/scratch/silent_omsm/keystores/APNS.p12	Apple Push Notification Service (APNS) keystore file; used to establish secure connection to Apple server to send notifications.
`APNS_KEYSTORE_PASSWD`		APNS keystore password.
`APPLE_CACERT_FILE`	`/scratch/omss/keystores/applerootca.crt`	File location of Apple root CA. Required during iOS device enrollment in Oracle Mobile Security Suite (OMSS).
`AUTOLOGINURI`	`/obrar.cgi`	URI required by Oracle Platform Security Services (OPSS). Default value is `/obrar.cgi`
`COOKIE_DOMAIN`	`.us.example.com`	Web domain on which the Oracle Identity Management application resides. Specify the domain in the format `.cc.example.com`.
`COOKIE_EXPIRY_INTERVAL`	-1	Cookie expiration period. Set to -1 to denote that the cookie expires when the session is closed.
`DB_PASSWD`		Database password, used in conjunction with JDCB_URL.
`DOMAIN_LOCATION`	`ORACLE_BASE /admin/IDMDomain/aserver/IDMDomain`	The location of the Oracle Identity Governance domain (and OMSM, if applicable).
`DOMAIN_NAME`	`IDM_Domain`	The Oracle Identity Governance domain name.
`EMAIL_ADMIN_USER`	admin@example.com	E-mail admin user; must be an e-mail address.
`EMAIL_ADMIN_PASSWD`		Email admin user's password
`EXCHANGE_DOMAIN_NAME`	example.com	Domain name of the exchange server.
`EXCHANGE_SERVER_URL`	http://testuri.com	URL of the exchange server.
`EXCHANGE_LISTENER_URL`	http://testuri.com	URL of the exchange listener.
`EXCHANGE_SERVER_VERSION`	2.0	The version of the exchange server.
`EXCHANGE_ADMIN_USER`	serviceuser	Admin user of the exchange server.
`EXCHANGE_ADMIN_PASSWD`		Password of the exchange server's admin user.
`GCM_API_KEY`	AIzaSyCh_JALj5Y	GCM notification API key.
`GCM_SENDER_ID`	6.10046E+11	GCM notification sender ID.
`IDSTORE_ADMIN_PORT`	`4444`	The admin port for an Oracle Unified Directory (OUD) identity store. `idmConfigTool` needs to connect on the OUD admin port for all operations changing OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_HOST`	`idstore.example.com`	Host name of the LDAP identity store directory (corresponding to the `IDSTORE_DIRECTORYTYPE`). If your identity store is in Oracle Internet Directory or Oracle Unified Directory, then `IDSTORE_HOST` points directly to the Oracle Internet Directory or Oracle Unified Directory host. If the Identity Store is fronted by Oracle Virtual Directory, then `IDSTORE_HOST` points to the Oracle Virtual Directory host, which is `IDSTORE`.`example`.`com`.
`IDSTORE_PORT`	`1389`	Port number of the LDAP identity store (corresponding to the IDSTORE_DIRECTORYTYPE).
`IDSTORE_BINDDN`	cn=orcladmin	Administrative user in the identity store directory.
`IDSTORE_USERNAMEATTRIBUTE`	cn	Username attribute used to set and search for users in the identity store. Set to part of the user DN. For example, if the user DN is `cn=orcladmin,cn=Users,dc=us,dc=example,dc=com`, this property is set to `cn`.
`IDSTORE_LOGINATTRIBUTE`	uid or `email`	Login attribute of the identity store which contains the user's login name. This is the attribute the user uses for login.
`IDSTORE_USERSEARCHBASE`	cn=Users,dc=us,dc=example,dc=com	Location in the directory where users are stored. This property tells the directory where to search for users.
`IDSTORE_SEARCHBASE`	dc=us,dc=example,dc=com	Search base for users and groups contained in the identity store. Parent location that contains the `USERSEARCHBASE` and the `GROUPSEARCHBASE`. For example: IDSTORE_SEARCHBASE: cn=oracleAccounts, dc=example,dc=com IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com
`IDSTORE_GROUPSEARCHBASE`	cn=Groups,dc=us,dc=example,dc=com	The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles.
`IDSTORE_OAMSOFTWAREUSER`	oamLDAP	The username used to establish the Access Manager identity store connection. This user is created by the `idmconfigtool`.
`IDSTORE_OAMADMINUSER`	oamadmin	The identity store administrator you want to create for Access Manager. Required only if the identity store is set as the system identity store. The administrator is created by the `idmconfigtool`.
`IDSTORE_OAAMADMINUSER`	oaamadmin	The identity store administrator for Oracle Adaptive Access Manager.
`IDSTORE_PROFILENAME`	idsprofile	Name of the identity store profile.
`IDSTORE_SYSTEMIDBASE`	cn=system, dc=test	Location of a container in the directory where system operations users are stored so that they are kept separate from enterprise users stored in the main user container. There are only a few system operations users. One example is the Oracle Identity Management reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
`IDSTORE_READONLYUSER`		User with read-only permissions to the identity store.
`IDSTORE_READWRITEUSER`		User with read-write permissions to the identity store.
`IDSTORE_SUPERUSER`		The Oracle Fusion Applications superuser in the identity store.
`IDSTORE_XELSYSADMINUSER`		The administrator of the xelsysadm system account.
`IDSTORE_OIMADMINUSER`		The identity store administrator for Oracle Identity Governance. User that Oracle Identity Governance uses to connect to the identity store
`IDSTORE_OIMADMINGROUP`		The Oracle Identity Governance administrator group you want to create to hold your Oracle Identity Governance administrative users.
`IDSTORE_SSL_ENABLED`		Whether SSL to the identity store is enabled. Valid values: true \| false
`IDSTORE_KEYSTORE_FILE`	`OUD_ORACLE_INSTANCE /OUD/config/admin-keystore`	Location of the keystore file containing identity store credentials. Applies to and required for Oracle Unified Directory identity stores.
`IDSTORE_KEYSTORE_PASSWORD`	4VYGtJLG61V5OjDWKe94e601x7tgLFs	Password of the identity store directory administrator. Not plain-text. Applies to and required for Oracle Unified Directory identity stores. This value can be found in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin.`
`IDSTORE_NEW_SETUP`		Used for identity store validation. Used in Oracle Fusion Applications environment.
`IDSTORE_DIRECTORYTYPE`	`OVD`	Directory type of the identity store for which the authenticator must be created. Set to `OVD` if you are using Oracle Virtual Directory server to connect to either a non-OID directory, Oracle Internet Directory or Oracle Unified Directory. Set it to `OID` if your identity store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory. Set to OUD if your identity store is Oracle Unified Directory and you are accessing it directly rather than through Oracle Virtual Directory. Valid values: OID, OVD, OUD, AD
`IDSTORE_ADMIN_USER`	cn=systemids,dc=example,dc=com	The administrator of the identity store directory. Provide the complete LDAP DN of the same user specified for IDSTORE_OAMSOFTWAREUSER. The username alone is not sufficient.
`IDSTORE_WLSADMINUSER`	weblogic_idm	The identity store administrator for Oracle WebLogic Server; usually `weblogic_idm`.
`IDSTORE_WLSADMINUSER_PWD`		The password of the identity store administrator for Oracle WebLogic Server.
`IDSTORE_WLSADMINGROUP`	`WLS Administrators`	The identity store administrator group for Oracle WebLogic Server.
`IDSTORE_WASADMINUSER`		The "wasadmin" user (IBM WebSphere).
`JDBC_URL`	jdbc:oracle:thin:@example.com:5521:msmdb	JDBC URL used to seed APNS/GCM data.
`LDAPn_HOST`	.	The host name of the LDAP server
`LDAPn_PORT`		The LDAP server port number.
`LDAPn_BINDDN`	.	The bind DN for the LDAP server
`LDAPn_SSL`		Indicates whether the connection to the LDAP server is over SSL. Valid values are True or False
`LDAPn_BASE`		The base DN of the LDAP server.
`LDAPn_OVD_BASE`		The OVD base DN of the LDAP server.
`LDAPn_TYPE`		The directory type for the LDAP server. n is 1, 2, and so on. For a single-node configuration specify LDAP1.
`LOGINURI`	/${app.context}/adfAuthentication	URI required by OPSS. Default value is /${app.context}/adfAuthentication
`LOGOUTURI`	/oamsso/logout.html	URI required by OPSS. Default value is /oamsso/logout.html
`MDS_DB_URL`	jdbc:oracle:thin:@DBHOST:1521:SID	URL of the MDS database. It represents a single instance database. The string following the '`@`' symbol must have the correct values for your environment. SID must be the actual SID, not a service name. If you are using a single instance database, then set MDS_URL to: `jdbc:oracle:thin:@DBHOST:1521:SID`.
`MDS_DB_SCHEMA_USERNAME`	edg_mds	Username of the MDS schema user. MDS schema which Oracle Identity Governance is using.
`MSM_SCHEMA_USER`	DEV87_OMSM	Mobile Security Manager (MSM) database schema username.
`MSM_SERVER_KEY_LENGTH`	2048	Key length for the self-signed CA and generated keys for the MSM server. Defaults to 2048.
`MSM_SERVER_NAME`	omsm_server1	Name of the MSM server. Provide this only if the MSM server is renamed to a different value during domain configuration.
`MSAS_SERVER_HOST`	server1.example.com	MSAS server host name.
`MSAS_SERVER_PORT`	11001	MSAS server's SSL port.
`OAM_SERVER_VERSION`	14c	Valid value is 14c
`OAM_TRANSFER_MODE`	`SIMPLE`	The transfer mode for the Access Manager agent being configured. If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Valid values are OPEN, SIMPLE or CERT.
`OAM11G_OAM_SERVER_TRANSFER_MODE`	`OPEN`	The security model in which the Access Manager 11g server functions. Valid values: OPEN or SIMPLE.
`OAM11G_SSO_ONLY_FLAG`	false	Configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is `true` (OAM performs no authorization). If set to`true`, the Access Manager 11g server operates in authentication only mode, where all authorizations return `true` by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the Access Manager server. If the value is `false`, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM server.
`OAM11G_IDSTORE_ROLE_SECURITY_ADMIN`	`OAMAdministrators`	Name of the group that is used to allow access to the Oracle Access Management Console to administer role security in identity store.
`OAM11G_OIM_INTEGRATION_REQ`	false	Specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to `true` for integration. Valid values: true (integration) \| false
`OAM11G_SERVER_LBR_HOST`	sso.example.com	Host name of the load balancer to the Oracle HTTP (OHS) server front-ending the Access Manager server. This and the following two parameters are used to construct your login URL.
`OAM11G_SERVER_LBR_PORT`	443	Port number of the load balancer to the OHS server front-ending the Access Manager server.
`OAM11G_SERVER_LBR_PROTOCOL`	https	Protocol of the load balancer to the OHS server front-ending the Access Manager server. Valid values: HTTP, HTTPS
`OAM11G_SERVER_LOGIN_ATTRIBUTE`	uid	At a login attempt, the username is validated against this attribute in the identity store. Setting to `uid` ensures that when users log in their username is validated against the `uid` attribute in LDAP.
`OAM11G_SERVER_GLOBAL_SESSION_TIMEOUT`		The global session timeout for sessions in the Access Manager server.
`OAM11G_SERVER_GLOBAL_SESSION_EXPIRY_TIME`		Global session expiry time for a session in the Access Manager server.
`OAM11G_SERVER_GLOBAL_MAX_SESSION_PER_USER`		Global maximum sessions per user in the Access Manager server.
`OAM11G_IDSTORE_NAME`		The identity store name. If you already have an identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the Identity Store. The default value is "OAMIDStore".
`OAM11G_IMPERSONATION_FLAG`		Enable or disable impersonation in Access Manager server. Applicable to Oracle Fusion Applications environment. Valid values: true (enable) \| false The default is false. If you are using impersonalization, you must manually set this value to true.
`OAM11G_IDM_DOMAIN_OHS_HOST`	sso.example.com	Host name of the load balancer which is in front of OHS in a high-availability configuration.
`OAM11G_IDM_DOMAIN_OHS_PORT`	443	Port number on which the load balancer specified as OAM11G_IDM_DOMAIN_OHS_HOST listens.
`OAM11G_IDM_DOMAIN_OHS_PROTOCOL`	https	Protocol for IDM OHS. Protocol to use when directing requests to the load balancer. Valid values: HTTP \| HTTPS
`OAM11G_OIM_OHS_URL`	https://sso.example.com:443/test	URL of the load balancer or OHS fronting the OIG server.
`OAM11G_WG_DENY_ON_NOT_PROTECTED`	true	Deny on protected flag for 10g webgate Valid values: true \| false
`OAM11G_OAM_SERVER_TRANSFER_MODE`	simple	Transfer mode for the IDM domain agent. Valid values: OPEN \| SIMPLE \| CERT
`OAM11G_IDM_DOMAIN_LOGOUT_URLS`	/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp	Comma-separated list of Access Manager logout URLs.
`OAM11G_WLS_ADMIN_HOST`	myhost.example.com	On WebLogic Server: Host name of the Access Manager domain admin server. On IBM WebSphere: The Access Manager application server host.
`OAM11G_WLS_ADMIN_PORT`	7001	On WebLogic Server: Port on which the Access Manager domain admin server is running. On IBM WebSphere: Deployment Manager bootstrap port for Access Manager cell.
`OAM11G_WLS_ADMIN_USER`	wlsadmin, wasadmin	On WebLogic Server: The username of the Access Manager domain administrator. On IBM WebSphere: Primary administrative user name for Access Manager cell.
`OAM_ADMIN_WAS_DEFAULT_PORT`	1443	On IBM WebSphere, OAM node's OracleAdminServer default port number
`OAM_POLICY_MGR_SERVER_NAME`	oam_policy_mgr1	Name of the Access Manager policy manager server. Provide this only if the policy manager server is renamed to a different value during domain configuration.
`OIM_DB_URL`		The URL needed to connect to the Oracle Identity Management database.
`OIM_DB_SCHEMA_USERNAME`		The schema user for the Oracle Identity Management database.
`OIM_FRONT_END_HOST`	host123.example.com	The host name of the LBR server front-ending Oracle Identity Governance.
`OIM_FRONT_END_PORT`	7011	The port number of the LBR server front-ending Oracle Identity Governance.
`OIM_MANAGED_SERVER_NAME`	`WLS_OIM1`	The name of the Oracle Identity Governance managed server. If clustered, any of the managed servers can be specified.
`OIM_MANAGED_SERVER_HOST`		The host name of the Oracle Identity Governance managed server.
`OIM_MANAGED_SERVER_PORT`		The port number of the Oracle Identity Governance managed server.
`OIM_MSM_REST_SERVER_URL`	https://msm.example.com:1234/	The URL of the Oracle Mobile Security Manager server. Required only if MSM URL needs to be seeded in Oracle Identity Governance and the system property OMSS Enabled set. OIM_MSM_REST_SERVER_URL enables the Mobile Security Manager task flows in the Oracle Identity Governance console. If not set, configOIM will continue the configuration without configuring the Mobile Security Manager. The prerequisite for OMSS Enabled is that the Oracle Identity Governance server should be up.
`OIM_T3_HOST`		The host name for the Oracle Identity Governance T3 server.
`OIM_T3_PORT`		The port number of the Oracle Identity Governance T3 server.
`OIM_WAS_CELL_CONFIG_DIR`		The location of the `fmwconfig` directory within the Oracle Identity Management cell on IBM WebSphere.
`OMSS_KEYSTORE_PASSWORD`		Password used to generate OMSM keystores and keys
`OMSM_IDSTORE_ROLE_SECURITY_ADMIN`	MSMAdmin	Name of the admin group whose members have admin privileges for OMSM operations. Default is "IDM Administrators".
`OMSM_IDSTORE_ROLE_SECURITY_HELPDESK`	MSMHelpDeskUsers	Name of the msm helpdesk group, whose members get helpdesk privileges for OMSM operations. Default is "MSMHelpdeskUsers".
`ovd.host`		OVD Server host name
`ovd.port`		OVD Server port number
`ovd.binddn`		OVD Server bind DN
`ovd.ssl`		Indicates whether the connection is over SSL. Valid values are True or False
`ovd.oamenabled`		Indicates whether Oracle Access Manager is enabled. Valid values are True or False
`POLICYSTORE_SHARES_IDSTORE`	true	Denotes whether the policy store and identity store share the directory. Always `true` in Release 11g. Valid values: true, false
`POLICYSTORE_HOST`	mynode.us.example.com	The host name of your policy store directory.
`POLICYSTORE_PORT`	1234	The port number of your policy store directory.
`POLICYSTORE_BINDDN`	cn=orcladmin	Administrative user in the policy store directory.
`POLICYSTORE_SEARCHBASE`	dc=example,dc=com	The location in the directory where users and groups are stored.
`POLICYSTORE_SYSTEMIDBASE`	cn=systemids, dc=example,dc=com	The read-only and read-write users for policy store are created in this location. Default value is cn=systemids, `policy_store_search_base`
`POLICYSTORE_READONLYUSER`	`PolStoreROUser`	A user with read privileges in the policy store.
`POLICYSTORE_READWRITEUSER`	`PolStoreRWUser`	A user with read and write privileges in the policy store.
`POLICYSTORE_CONTAINER`	`cn=jpsroot`	The name of the container used for OPSS policy information
`POLICYSTORE_SSL_ENABLED`		Whether the policy store is SSL-enabled.
`POLICYSTORE_KEYSTORE_FILE`		The location of the keystore file for an SSL-enabled policy store.
`PROXY_SERVER_HOST`	www-proxy.example.com	Proxy server's host name.
`PROXY_SERVER_PORT`	80	Proxy server's port.
`PROXY_USER`	proxyuserA	User for proxy.
`PROXY_PASSWD`		Password for proxy user.
`SCEP_DYNAMIC_CHALLENGE_USER`		OMSM uses a Simple Certificate Enrollment Protocol (SCEP) dynamic challenge for external SCEP authentication during the enrollment phase. This user account is used for authentication.
`SCEP_DYNAMIC_CHALLENGE_PASSWD`		SCEP dynamic challenge user's password
`SPLIT_DOMAIN`	true	Flag to force `configOAM` to create security providers in the domain against which it is run. Valid values are true, false. Setting to true is required to suppress the double authentication of Oracle Access Management Console in a split domain scenario.
`SSO_ENABLED_FLAG`	false	Flag to determine if SSO should be enabled. Valid values are true, false.
`WEBGATE_TYPE`	`javaWebgate`	The type of WebGate agent you want to create. Set to `ohsWebgate14c`.
`PRIMARY_OAM_SERVERS`	idmhost1.example.com:5575,idmhost2.example.com:5575	A comma-separated list of your Access Manager servers and their proxy ports. To determine the proxy ports your Access Manager servers: Log in to the Oracle Access Management Console at `http://admin.example.com:7001/oamconsole` At the top of the Oracle Access Management Console, click Configuration. In the Configuration console, click Server Instances. In the page that appears, click Search, then double-click the target instance to display its configuration. For example, WLS_OAM1. The proxy port is shown as Port.
`SMTP_HOST`	exchangeurl.us.example.com	E-mail host.
`SMTP_PORT`	80	E-mail port.
`TOPIC`	com.apple.mgmt.External.2544264e-aa8a-4654-bfff-9d897ed39a87	Topic used in Apple's APNS certificate; used to send APNS notification. The value should match the UID of the APNS key.
`USE_PROXY`	true	Indicates whether to use a proxy. Valid values are true, false.
`WLSHOST`	`node01.example.com`	WebLogic Server host name (host name of your administration server).
`WLSPORT`	7001	The WebLogic Server port number
`WLSADMIN`	wlsadmin	The administrator login, depending on the application server context.
`WLSPASSWD`		The WebLogic Server administrator password.

C.3.5 Working with the idmConfigTool Log File

idmConfigTool logs execution details to a file called automation.log, which is helpful in verifying the results of a run.

C.3.5.1 Searching the idmConfigTool Log File

The log file contains initialization and informational messages:

Feb 18, 2015 8:38:14 PM oracle.idm.automation.util.Util setLogger
WARNING: Logger initialized in warning mode
Feb 18, 2015 8:38:19 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler <init>
INFO: Appserver type: null
Feb 18, 2015 8:38:20 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler <init>
WARNING: Cannot connect to the OUD Admin connector
Feb 18, 2015 8:38:29 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler createOIMAdminUser
INFO: OIM Admin User has been created
Feb 18, 2015 8:38:29 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler addPwdResetPrivilegeToOIMAdminUser
INFO: Password reset privilege added

Checking for WARNING messages after a run can help you identify potential problems with the run.

C.3.5.2 Maintaining the idmConfigTool Log File

idmConfigTool appends to the log file upon each run. The presence of older entries can lead to a misunderstanding if you see an error in the log and correct it, since the original error detail is present in the log even after you rectify the error.

WARNING:

Back up existing log files frequently to avoid confusion caused by old log entries.

C.4 Additional Tasks for OUD Identity Store in an HA Environment

This section explains additional tasks you may need to perform when using idmConfigTool for a target Oracle Unified Directory (OUD) identity store in a high-availability environment. Topics include:

C.4.1 Creating the Global ACI for Oracle Unified Directory

Global ACI and indexes are not replicated when you use idmConfigTool for an Oracle Unified Directory (OUD) identity store in a high availability (HA) environment that contains replicas. Global ACI and indexes are created ONLY in the instance(s) specified in the property file. You must manually re-create (remove then create) them on all other OUD instances of the replication domain.

Consequently you must first grant access to the change log, and then create the ACIs. Take these steps:

Create a file called password which contains the password you use to connect to OUD.

Remove the existing change log on one of the replicated OUD hosts. The command syntax is:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--remove \
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0;
acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
--hostname OUD Host \
--port OUD Admin Port \
--trustAll ORACLE_INSTANCE/config/admin-truststore \
--bindDN cn=oudadmin \
--bindPasswordFile password \
--no-prompt

For example:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--remove
global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0;
acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)"
--hostname OUDHOST1.example.com \
--port 4444 \
--trustAll /u01/app/oracle/admin/oud1/OUD/config/admin-truststore \
--bindDN cn=oudadmin \
--bindPasswordFile password \
--no-prompt

Add the new ACI for the changelog:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version
3.0; acl \"External changelog access\"; allow
(read,search,compare,add,write,delete,export)
groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \
--hostname OUD Host \
--port OUD Admin Port \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile password
--no-prompt

For example:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add
--add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version
3.0; acl \"External changelog access\"; allow
(read,search,compare,add,write,delete,export)
groupdn=\"ldap:///cn=oimAdminGroup,cn=groups,dc=example,dc=com\";)" \
--hostname OUDHOST1 \
--port 4444 \
--trustAll \
--bindDN cn=oudadmin \
--bindPasswordFile password
--no-prompt

Then add the ACI:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read)  groupdn=\"<ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
        --hostname OUD_HOST \
        --port OUD_ADMIN_PORT \
        --trustAll \
        --bindDN cn=oudadmin \
        --bindPasswordFile passwordfile \
        --no-prompt

For example:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4 || 1.3.6.1.4.1.26027.2.3.4\")(version 3.0; acl \"OIMAdministrators control access\"; allow(read) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
        --hostname IDMHOST1.mycompany.com \
        --port 4444 \
        --trustAll \
        --bindDN cn=oudadmin \
        --bindPasswordFile passwordfile \
        --no-prompt

Finally add the ACI:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
        --hostname OUD_HOST \
        --port OUD_ADMIN_PORT \
        --trustAll \
        --bindDN cn=oudadmin \
        --bindPasswordFile passwordfile \
        --no-prompt

For example:

OUD_ORACLE_INSTANCE/bin/dsconfig set-access-control-handler-prop \
--add global-aci:"(target=\"ldap:///\")(targetscope=\"base\")(targetattr=\"lastExternalChangelogCookie\")(version 3.0; acl \"User-Visible lastExternalChangelog\"; allow (read,search,compare) groupdn=\"ldap:///cn=OIMAdministrators,cn=groups,dc=mycompany,dc=com\";)" \
        --hostname IDMHOST1.mycompany.com \
        --port 4444 \
        --trustAll \
        --bindDN cn=oudadmin \
        --bindPasswordFile passwordfile \
        --no-prompt

Repeat Steps 1 through 5 for each OUD instance.

C.4.2 Creating Indexes on Oracle Unified Directory Replicas

When idmConfigTool prepares the identity store, it creates a number of indexes on the data. However in a high availability (HA) environment that contains replicas, global ACI and indexes are created only in the instance(s) specified in the property file; the replicas are not updated with the indexes which need to be added manually.

The steps are as follows (with LDAPHOST1.example.com representing the first OUD server, LDAPHOST2.example.com the second server, and so on):

Create a file called mypassword which contains the password you use to connect to OUD.

Configure the indexes on the second OUD server:

ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444
-a -D "cn=oudadmin" -j mypassword -c -f
/u01/app/oracle/product/fmw/iam/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif

and

ORACLE_INSTANCE/OUD/bin/ldapmodify -h LDAPHOST2.example.com -Z -X -p 4444
-a -D "cn=oudadmin" -j  mypassword -c -f
/u01/app/oracle/product/fmw/iam/idmtools/templates/oud/oud_indexes_extn.ldif

Note:

Repeat both commands for all OUD servers for which idmConfigTool was not run.
Execute the commands on one OUD instance at a time; that instance must be shut down while the commands are running.

Rebuild the indexes on all the servers:
```
ORACLE_INSTANCE/OUD/bin/bin/rebuild-index -h localhost -p 4444 -X -D
"cn=oudadmin" -j mypassword --rebuildAll -b "dc=example,dc=com"
```
Note:

You must run this command on all OUD servers, including the first server (LDAPHOST1.example.com) for which idmConfigTool was run.

C.5 IdmConfigTool Options and Properties

This section lists the properties for each command option. Topics include:

Note:

The command options show the command syntax on Linux only. See idmConfigTool Command Syntax for Windows syntax guidelines.
The tool prompts for passwords.

C.6 preConfigIDStore Command

Syntax

On Linux, the command syntax is:

idmConfigTool.sh -preConfigIDStore input_file=input_properties

On Windows, the command syntax is:

idmConfigTool.bat -preConfigIDStore input_file=input_properties

For example:

idmConfigTool.sh -preConfigIDStore input_file=extendOAMPropertyFile

Note:

The -preConfigIDStore command option supports Oracle Internet Directory, Oracle Unified Directory, and Oracle Virtual Directory.

Properties

Table C-3 lists the properties for this mode:

Table C-3 Properties of preConfigIDStore

Property	Required?
`IDSTORE_HOST`	`YES` `IDSTORE_HOST` and `IDSTORE_PORT` are the host and port, respectively, of your identity store directory. If your identity store is in Oracle Unified Directory or Oracle Internet Directory, then `IDSTORE_HOST` should point directly to the Oracle Unified Directory or Oracle Internet Directory host. If your Identity Store is fronted by Oracle Virtual Directory, then IDSTORE_HOST should point to the Oracle Virtual Directory host, which should be `IDSTORE`.`example`.`com`.
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_DIRECTORYTYPE`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).)
`IDSTORE_LOGINATTRIBUTE`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_SYSTEMIDBASE`
`POLICYSTORE_SHARES_IDSTORE`
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the directory instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.

Example properties File

Here is a sample properties file for this option:

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com

If you are using Oracle Unified Directory as the identity store, include the additional properties indicated in the properties table. The sample properties file then contains the additional properties:

IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_ADMIN_PORT : 4444
IDSTORE_KEYSTORE_FILE : /u01/config/instances/oud1/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD : K8BYCoOFHBwDYa1F6vUBgcGr1TK1Rz26W9Bz7OF0UwsZ5XLGOb

Note:

When using prepareIDStore for Oracle Unified Directory, global ACI and indexes are re-created only in the instance(s) specified in the property file; they are not replicated by Oracle Unified Directory. You must manually re-create (remove, then create) the global ACI and indexes on all other Oracle Unified Directory instances of the replication domain.

For details, see Additional Tasks for OUD Identity Store in an HA Environment.

C.7 prepareIDStore Command

Syntax

The prepareIDStore command takes mode as an argument to perform tasks for the specified component.

idmConfigTool.sh -prepareIDStore mode=mode
input_file=filename_with_Configproperties

where mode must be one of the following:

OAM
OIM
OAAM
WLS
FUSION
WAS
APM
all (performs all the tasks of the above modes combined)

Note:

WLS mode must be run before OAM.

See Also:

Table C-2 for details of the properties.

C.7.1 prepareIDStore mode=OAM

The following are created in this mode:

Perform schema extensions as required by the Access Manager component
Add the oblix schema
Create the OAMSoftware User
Create OblixAnonymous User
Optionally create the Access Manager Administration User
Associate these users to their respective groups
Create the group "orclFAOAMUserWritePrivilegeGroup"

Syntax

On Linux, the command syntax is:

idmConfigTool.sh -prepareIDStore mode=OAM input_file=filename_with_Configproperties

On Windows, the command syntax is:

idmConfigTool.bat -prepareIDStore mode=OAM input_file=filename_with_Configproperties

For example:

idmConfigTool.sh -prepareIDStore mode=OAM input_file=preconfigOAMPropertyFile

Properties

Table C-4 lists the properties for this mode:

Table C-4 prepareIDStore mode=OAM Properties

Parameter	Required?
`IDSTORE_HOST`	`YES` `IDSTORE_HOST` and `IDSTORE_PORT` are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory or Oracle Unified Directory, then `IDSTORE_HOST` should point to Oracle Internet Directory or Oracle Unified Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory. If you are using a directory other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host.
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`
`OAM11G_IDSTORE_ROLE_SECURITY_ADMIN`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_OAMSOFTWAREUSER`
`IDSTORE_OAMADMINUSER`
`IDSTORE_SYSTEMIDBASE`
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the directory instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`.

Example properties File

Here is a sample properties file for this option. This parameter set would result in OAMADMINUSER and OAMSOFTWARE user being created in the identity store:

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com

See Also:

Table C-2 for details of the properties.

C.7.2 prepareIDStore mode=OIM

The following are created in this mode:

Create Oracle Identity Management Administration User under SystemID container
Create Oracle Identity Management Administration Group
Add Oracle Identity Management Administration User to Oracle Identity Management Administration Group
Add ACIs to Oracle Identity Management Administration Group
Create reserve container
Create xelsysadmin user

Syntax

On Linux, the command syntax is:

idmConfigTool.sh -prepareIDStore mode=OIM input_file=filename_with_Configproperties

On Windows, the command syntax is:

idmConfigTool.bat -prepareIDStore mode=OIM input_file=filename_with_Configproperties

For example:

idmConfigTool.sh -prepareIDStore mode=OIM input_file=preconfigOIMPropertyFile

Properties

Table C-5 lists the properties in this mode:

Table C-5 prepareIDStore mode=OIM Properties

Parameter	Required?
`IDSTORE_HOST`	`YES` `IDSTORE_HOST` and `IDSTORE_PORT` are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory or Oracle Unified Directory, then `IDSTORE_HOST` should point directly to the Oracle Internet Directory or Oracle Unified Directory host. If your Identity Store is fronted by Oracle Virtual Directory, then `IDSTORE_HOST` should point to the Oracle Virtual Directory host, which should be `IDSTORE`.`example`.`com`.
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_OIMADMINUSER`
`IDSTORE_OIMADMINGROUP`
`IDSTORE_SYSTEMIDBASE`
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES` (if target identity store is an instance of OUD) `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES` (if target identity store is an instance of OUD.) Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`..
`OIM_DB_URL`	Required on IBM WebSphere.
`OIM_DB_SCHEMA_USERNAME`	Required on IBM WebSphere.
`OIM_WAS_CELL_CONFIG_DIR`	Required on IBM WebSphere.

Example properties File

Here is a sample properties file for this option:

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdministrators
OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1
OIM_DB_SCHEMA_USERNAME: dev_oim
OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig

See Also:

Table C-2 for details of the properties.

C.7.3 prepareIDStore mode=OAAM

This mode:

Creates Oracle Adaptive Access Manager Administration User
Creates Oracle Adaptive Access Manager Groups
Adds the Oracle Adaptive Access Manager Administration User as a member of Oracle Adaptive Access Manager Groups

Syntax

idmConfigTool.sh -prepareIDStore mode=OAAM
input_file=filename_with_Configproperties

Properties

Table C-6 shows the properties in this mode:

Table C-6 prepareIDStore mode=OAAM Properties

Parameter	Required?
`IDSTORE_HOST`	`YES`
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`	`YES`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_OAAMADMINUSER`	`YES`
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the directory instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`.

Example properties File

Here is a sample properties file for this option:

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_OAAMADMINUSER: oaamadmin
POLICYSTORE_SHARES_IDSTORE: true

See Also:

Table C-2 for details of the properties.

C.7.4 prepareIDStore mode=WLS

This mode:

Creates Weblogic Administration User
Creates Weblogic Administration Group
Adds the Weblogic Administration User as a member of Weblogic Administration Group

Syntax

On Linux, the command syntax is:

idmConfigTool.sh -prepareIDStore mode=WLS input_file=filename_with_Configproperties

On Windows, the command syntax is:

idmConfigTool.bat -prepareIDStore mode=WLS input_file=filename_with_Configproperties

For example:

idmConfigTool.sh -prepareIDStore mode=WLS input_file=preconfigWLSPropertyFile

Properties

Table C-7 lists the properties in this mode:

Table C-7 prepareIDStore mode=WLS Properties

Parameter	Required?
`IDSTORE_HOST`	`YES` `IDSTORE_HOST` and `IDSTORE_PORT` are the host and port, respectively, of your Identity Store directory. If your Identity Store is in Oracle Internet Directory or Oracle Unified Directory, then `IDSTORE_HOST` should point to the Oracle Internet Directory or Oracle Unified Directory host, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory. If you are using a directory other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.`example.com`.)
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`	YES
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_WLSADMINUSER`	`YES`. Do not set any default, out-of-the-box users such as weblogic/xelsysadm for this property.
`IDSTORE_WLSADMINGROUP`	`YES` Note: `IDSTORE_WLSADMINGROUP: IDM Administrators` must be included in the properites file to ensure the OAM Administrators are added to the IDM Administrators group successfully.
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the OUD instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`.

Example properties File

Here is a sample properties file for this option. With this set of properties, the IDM Administrators group is created.

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_WLSADMINUSER: weblogic_idm
IDSTORE_WLSADMINGROUP: wlsadmingroup

See Also:

Table C-2 for details of the properties.

C.7.5 prepareIDStore mode=WAS

This mode:

Creates WebSphere Administration User
Creates WebSphere Administration Group
Adds the WebSphere Administration User as a member of WebSphere Administration Group

Syntax

idmConfigTool.sh -prepareIDStore mode=WAS
input_file=filename_with_Configproperties

Properties

Table C-8 lists the properties in this mode:

Table C-8 prepareIDStore mode=WAS Properties

Parameter	Required?
`IDSTORE_HOST`	`YES`
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_WASADMINUSER`	`YES` (wsadmin user)
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD). This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the OUD instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`.

Example properties File

Here is a sample properties file for this option, which creates the IDM Administrators group.

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_WASADMINUSER: websphere_idm

See Also:

Table C-2 for details of the properties.

C.7.6 prepareIDStore mode=APM

This mode:

Creates Oracle Privileged Account Manager Administration User
Adds the Oracle Privileged Account Manager Administration User as a member of Oracle Privileged Account Manager Groups

You are prompted to enter the password of the account that you are using to connect to the identity store.

Syntax

idmConfigTool.sh -prepareIDStore mode=APM
input_file=filename_with_Configproperties

Properties

Table C-9 shows the properties in this mode:

Table C-9 prepareIDStore mode=APM Properties

Parameter	Required?
`IDSTORE_HOST`	`YES`
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`
`IDSTORE_LOGINATTRIBUTE`
`IDSTORE_USERSEARCHBASE`
`IDSTORE_GROUPSEARCHBASE`
`IDSTORE_SEARCHBASE`
`POLICYSTORE_SHARES_IDSTORE`	`YES`
`IDSTORE_APMUSER`	`YES`

Example properties File

Here is a sample properties file for this option:

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_APMUSER: opamadmin

See Also:

Table C-2 for details of the properties.

C.7.7 prepareIDStore mode=fusion

This mode:.

Creates a Readonly User
Creates a ReadWrite User
Creates a Super User
Adds the readOnly user to the groups orclFAGroupReadPrivilegeGroup and orclFAUserWritePrefsPrivilegeGroup
Adds the readWrite user to the groups orclFAUserWritePrivilegeGroup and orclFAGroupWritePrivilegeGroup

Syntax

idmConfigTool.sh -prepareIDStore mode=fusion
input_file=filename_with_Configproperties

Properties

Table C-10 lists the properties in this mode:

Table C-10 prepareIDStore mode=fusion Properties

Parameter	Required?
`IDSTORE_HOST`	`YES`
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_READONLYUSER`
`IDSTORE_READWRITEUSER`
`IDSTORE_SUPERUSER`
`IDSTORE_SYSTEMIDBASE`
`POLICYSTORE_SHARES_IDSTORE`
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the OUD instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`.

Example properties File

Here is a sample properties file for this option, which creates IDSTORE_SUPERUSER:

IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_USERSEARCHBASE:cn=Users,dc=example,dc=com 
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycomapny,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
IDSTORE_SUPERUSER: weblogic_fa
POLICYSTORE_SHARES_IDSTORE: true

See Also:

Table C-2 for details of the properties.

C.7.8 prepareIDStore mode=all

The mode performs all the tasks that are performed in the modes OAM, OIM, WLS, WAS, OAAM, and FUSION.

Syntax

idmConfigTool.sh -prepareIDStore mode=all
input_file=filename_with_Configproperties

Properties

Table C-11 lists the properties in this mode:

Table C-11 prepareIDStore mode=all Properties

Parameter	Required?
`IDSTORE_HOST`	`YES`
`IDSTORE_PORT`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_LOGINATTRIBUTE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_SYSTEMIDBASE`
`IDSTORE_READONLYUSER`	`YES`
`IDSTORE_READWRITEUSER`	`YES`
`IDSTORE_SUPERUSER`	`YES`
`IDSTORE_OAMSOFTWAREUSER`	`YES`
`IDSTORE_OAMADMINUSER`	`YES`
`IDSTORE_OIMADMINUSER`	`YES`
`IDSTORE_OIMADMINGROUP`	`YES`
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_OAAMADMINUSER`	`YES`
`IDSTORE_WLSADMINUSER`	`YES`
`IDSTORE_WLSADMINGROUP`	`YES`
`IDSTORE_ADMIN_PORT`	`YES` (if target identity store is an instance of Oracle Unified Directory (OUD).) This property is required to connect to and configure OUD configuration structures: creation of global ACIs creation of indexes
`IDSTORE_KEYSTORE_FILE`	`YES`, if target identity store is OUD. Use the format: `OUD-instance-path`/OUD/config/admin-keystore where OUD-instance-path is the path to the OUD instance. `IDSTORE_KEYSTORE_FILE` and `IDSTORE_KEYSTORE_PASSWORD` must be set to establish the connection to the OUD identity store.
`IDSTORE_KEYSTORE_PASSWORD`	`YES`, if target identity store is OUD. Not plain-text. Resides in the file `OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin`.
`OAM11G_IDSTORE_ROLE_SECURITY_ADMIN`
`POLICYSTORE_SHARES_IDSTORE`
`OIM_DB_URL`	Required on IBM WebSphere
`OIM_DB_SCHEMA_USERNAME`	Required on IBM WebSphere
`OIM_WAS_CELL_CONFIG_DIR`	Required on IBM WebSphere
`IDSTORE_WASADMINUSER`	Required on IBM WebSphere

Example properties File

Here is a sample properties file for this option:

IDSTORE_HOST: node01.example.com
IDSTORE_PORT: 2345
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_SUPERUSER: weblogic_fa
IDSTORE_OAMSOFTWAREUSER:oamSoftwareUser
IDSTORE_OAMADMINUSER:oamAdminUser
IDSTORE_OIMADMINUSER: oimadminuser
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_WLSADMINUSER: weblogic_idm
IDSTORE_WLSADMINGROUP: wlsadmingroup
IDSTORE_OAAMADMINUSER: oaamAdminUser
OIM_DB_URL: jdbc:oracle:thin:@xyz5678.us.example.com:5522:wasdb1
OIM_DB_SCHEMA_USERNAME: dev_oim
OIM_WAS_CELL_CONFIG_DIR: /wassh/WebSphere/AppServer/profiles/Dmgr04/config/cells/xyz5678Cell04/fmwconfig
IDSTORE_WASADMINUSER: websphere_idm

See Also:

Table C-2 for details of the properties.

C.8 configOAM Command

Prerequisite

Ensure that the administration server for the domain hosting Oracle Access Manager is running before you execute this command.

Restart all servers on the OIM domain after running configOIM.

Syntax

On Linux, the command syntax is:

idmConfigTool.sh -configOAM input_file=input_properties

On Windows, the command syntax is:

idmConfigTool.bat -configOAM input_file=input_properties

For example:

idmConfigTool.sh -configOAM input_file=OAMconfigPropertyFile

Properties

Table C-12 lists the command properties.

Table C-12 Properties of configOAM

Property	Required?
`WLSHOST`	`YES` `WLSHOST` and `WLSPORT` are, respectively, the host and port of your administration server, this will be the virtual name.
`WLSPORT`	`YES`
`WLSADMIN`	`YES`
`IDSTORE_BINDDN`	`YES`
`IDSTORE_HOST`	`YES` `IDSTORE_HOST` and `IDSTORE _PORT` are, respectively, the host and port of your Identity Store directory. If using a directory server other than Oracle Internet Directory or Oracle Unified Directory, specify the Oracle Virtual Directory host and port.
`IDSTORE_PORT`	`YES`
`IDSTORE_DIRECTORYTYPE`	`YES`
`IDSTORE_BINDDN`	`YES` `IDSTORE_BINDDN` is an administrative user in Oracle Internet Directory or Oracle Unified Directory. If using a directory server other than Oracle Internet Directory or Oracle Unified Directory, specify an Oracle Virtual Directory administrative user.
`IDSTORE_USERNAMEATTRIBUTE`	`YES`
`IDSTORE_LOGINATTRIBUTE`	`YES`
`IDSTORE_USERSEARCHBASE`	`YES`
`IDSTORE_SEARCHBASE`	`YES`
`IDSTORE_GROUPSEARCHBASE`	`YES`
`IDSTORE_OAMSOFTWAREUSER`	`YES`
`IDSTORE_OAMADMINUSER`	`YES`
`IDSTORE_SYSTEMIDBASE`	`YES`
`PRIMARY_OAM_SERVERS`	`YES`
`WEBGATE_TYPE`	`YES` `WEBGATE_TYPE` is the type of WebGate agent you want to create. Valid value is `ohsWebgate12c`
`ACCESS_GATE_ID`	`YES` `ACCESS_GATE_ID` is the name you want to assign to the WebGate. Do not change the property value shown in the example.
`OAM_TRANSFER_MODE`	`YES` `Default is OPEN` `OAM_TRANSFER_MODE` is the security model in which the access servers function.
`COOKIE_DOMAIN`	`YES`
`COOKIE_EXPIRY_INTERVAL`	`YES`
`OAM11G_WG_DENY_ON_NOT_PROTECTED`	`YES`
`OAM11G_IDM_DOMAIN_OHS_HOST`	`YES`
`OAM11G_IDM_DOMAIN_OHS_PORT`	`YES`
`OAM11G_IDM_DOMAIN_OHS_PROTOCOL`	`YES` `default is http` `OAM11G_IDM_DOMAIN_OHS_PROTOCOL` is the protocol to use when directing requests to the load balancer.
`OAM11G_OAM_SERVER_TRANSFER_MODE`	`YES` `OAM11G_OAM_SERVER_TRANSFER_MODE` is the security model for the Access Manager servers. Access Manager must be configured for `SIMPLE` as the mode of communication.
`OAM11G_IDM_DOMAIN_LOGOUT_URLS`
`OAM11G_OIM_WEBGATE_PASSWD`	`YES`
`OAM11G_IDSTORE_ROLE_SECURITY_ADMIN`	`YES`
`OAM11G_SSO_ONLY_FLAG`	`YES` `Default is TRUE` `OAM11G_SSO_ONLY_FLAG` configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is `true`. If `OAM11G_SSO_ONLY_FLAG` is `true`, the Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the Access Manager server. If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the Access Manager server. WebGate allows the access to the requested resources or not, based on the responses from the Access Manager server.
`OAM11G_OIM_INTEGRATION_REQ`	`YES`
`OAM11G_IMPERSONATION_FLAG`	`YES` `OAM11G_IMPERSONATION_FLAG` enables or disables the impersonation feature in the OAM Server. Valid values are `true` (enable) and `false` (disable). The default is `false`. If you are using impersonalization, you must manually set this value to `true`.
`OAM11G_SERVER_LBR_HOST`	`YES`
`OAM11G_SERVER_LBR_PORT`	`YES`
`OAM11G_SERVER_LBR_PROTOCOL`	`YES` `Default is http` `OAM11G_SERVER_LBR_PROTOCOL` is the URL prefix to use.
`OAM11G_SERVER_LOGIN_ATTRIBUTE`	`YES`
`OAM11G_IDSTORE_NAME`	`YES`
`POLICYSTORE_SHARES_IDSTORE`	`YES`
`OAM11G_OIM_OHS_URL`	`http://`sso.example.com:`443/` `OAM11G_OIM_OHS_URL` is the URL of the load balancer or OHS fronting the OIM server.
`SPLIT_DOMAIN`	Set to `true` for cross-domain deployment. Omit for single-domain deployment. `SPLIT_DOMAIN` set to `true` is required to suppress the double authentication of Oracle Access Management Console in a split domain scenario.

Example properties File

Here is a sample properties file for this option, which creates an entry for webgate in Access Manager:

WLSHOST: adminvhn.example.com
WLSPORT: 7001
WLSADMIN: weblogic
IDSTORE_HOST: idstore.example.com
IDSTORE_PORT: 389
IDSTORE_BINDDN: cn=orcladmin 
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamadmin
PRIMARY_OAM_SERVERS: oamhost1.example.com:5575,oamhost2.example.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM
OAM11G_IDM_DOMAIN_OHS_HOST:sso.example.com
OAM11G_IDM_DOMAIN_OHS_PORT:443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL:https
OAM11G_OAM_SERVER_TRANSFER_MODE:simple
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_WG_DENY_ON_NOT_PROTECTED: false
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid 
OAM_TRANSFER_MODE: simple
COOKIE_DOMAIN: .example.com
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: false
OAM11G_OIM_INTEGRATION_REQ: true or false
OAM11G_IMPERSONATION_FLAG:true
OAM11G_SERVER_LBR_HOST:sso.example.com
OAM11G_SERVER_LBR_PORT:443
OAM11G_SERVER_LBR_PROTOCOL:https
COOKIE_EXPIRY_INTERVAL: -1
OAM11G_OIM_OHS_URL:https://sso.example.com:443/
SPLIT_DOMAIN: true
OAM11G_IDSTORE_NAME: OAMIDStore
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com

Usage Notes

When you execute this command, the tool prompts you for:

Password of the identity store account to which you are connecting
Access Manager administrator password
Access Manager software user password

In the IBM WebSphere environment:

Run idmconfigtool from the Oracle Access Manager WebSphere cell.
Provide details of the IBM WebSphere server by specifying the following in the properties file:
- WLSHOST - The WebSphere Application Server host
- WLSPORT - The WebSphere Application Server bootstrap port
- WLSADMIN - Login ID for the Oracle Access Management Console.

See Also:

Table C-2 for details of the properties.