Schedule:

Timing

Topic

<xx> minutes Lecture <xx> minutes Practice <xx> minutes Total

Oracle Access Manager 11g R2: Advanced Administration 4 - 1

Using Action Verbs for Objectives

In the slide, use the introductory phrase After completing this lesson, you should be able to followed by a colon. Use action verbs to introduce each bulleted objective. Your choice of action verb depends on the content of the lesson: If the content is designed to cover facts and terms, use such verbs as identify, choose, select, match, label, list, and so on. If the content is designed to teach a concept, use such verbs as identify, choose, select, indicate, match, classify, and so on. If the content is about application of knowledge or execution of a procedure or process, use such verbs as use, run, create, modify, construct, drop, and so on. For detailed and high-level content, use such verbs as conclude, analyze, separate, compare, contrast, justify, differentiate, perform, and so on.

Oracle Access Manager 11g R2: Advanced Administration 4 - 2

Oracle Identity and Access Management has two main functions - user provisioning and access management. The Enterprise Deployment Guide is a solution to implementing Oracle Identity and Access Management in an enterprise and has the following features: Main Components Deployed: Oracle Access Manager Access Manager (OAM), Oracle Access Manager Oracle Identity Manager (OIM), Oracle Access Manager Authorization Policy Manager (APM) Support for different Identity Stores including: Oracle Internet Directory, Oracle Unified Directory, and Oracle Virtual Directory. Oracle Virtual Directory can be used to support third party directories or to provide multi-directory support. All components are Highly Available. SSL is terminated at the load balancer. OAM and OIM are deployed into different domains to separate administrative tasks from operational tasks. Directories will are deployed into independent domains, this allows directories to be patched independently of Oracle Access Management components. This removes the need to ensure that products are certified with infrastructure components from a different product set, this makes patching easier. It is also likely that enterprises will already have an enterprise identity store (LDAP), which can be reused. Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

If you are using load balancers to frontend the Identity Management environment, you must configure virtual servers and associated ports on the load balancer for different types of network traffic and monitoring. These virtual servers should be configured to the appropriate real hosts and ports for the services running. Also, the load balancer should be configured to monitor the real host and ports for availability so that the traffic to these is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers.

Fusion Applications: Install and Configure Identity Management 2 - 4

The directory tier provides the LDAP services. The directory tier stores identity information about users and groups. This tier includes products such as Oracle Internet Directory, Oracle Unified Directory, and Oracle Virtual Directory. The directory tier is closely tied with the data tier. In some cases, the directory tier and data tier might be managed by the same group of administrators. In many enterprises, however, database administrators own the data tier while directory administrators own the directory tier. The directory components such as Oracle Unified Directory, Oracle Internet Directory and Oracle Virtual Directory are installed on LDAPHOSTs. LDAP requests are distributed among these servers using a hardware load balancer. If you store the Identity details in a directory other than Oracle Internet Directory or Oracle Unified Directory, you can use either Oracle Virtual Directory to present that information or Oracle Directory Integration Platform to synchronize the users and groups from the other directory to Oracle Internet Directory. If you are using Oracle Internet Directory exclusively, you do not need to use Oracle Virtual Directory or Oracle Unified Directory.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

Directory Tier (continued)

If you store your identity information in Oracle Unified Directory, this information is stored locally in a Berkeley database. To ensure high availability, this information is replicated to other Oracle Unified Directory instances using Oracle Unified Directory replication. Typically protected by firewalls, applications above the directory tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet. The ports 389 and 636 on the load balancer are typically redirected to the non-privileged ports used by the individual directory instances.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

The application tier is where Java EE applications are deployed. Products such as Oracle Identity Manager, Oracle Directory Integration Platform, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key Java EE components that are deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.

OAM Server, Oracle Adaptive Access Manager, Oracle Identity Manager, and SOA, can be run in active-active mode; these servers communicate with the data tier at run time.
The WebLogic Administration Server is a singleton component and can be deployed in an active-passive configuration. If the primary fails or the Administration Server on one host does not start, the Administration Server on the secondary host can be started. If a WebLogic managed server fails, the node manager running on that host attempts to restart it. The Identity Management application tier applications interact with directory tier as follows: They leverage the directory tier for enterprise identity information. They leverage the database tier for application metadata. WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in the application tier as well. However, for the enterprise deployment shown, customers have a separate web tier relying on web servers such as Oracle HTTP Server.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

The HTTP Servers are deployed in the web tier. Most of the Identity Management components can function without the web tier, but to support enterprise-level single sign-on by using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required. Components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier. They can also be configured to use a web tier, if desired. In the web tier: Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the mod_wl_ohs module are installed. The mod_wl_ohs module enables requests to be proxied from Oracle HTTP Server to a WebLogic Server that is running in the application tier. WebGate in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager. WebGate and Oracle Access Manager are used to perform operations such as user authentication.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

These are the typical hardware requirements. For each tier, carefully consider the load, throughput, response time and other requirements to plan the actual capacity required. The number of nodes, CPUs, and memory required can vary for each tier based on the deployment profile.Production requirements may vary depending on applications and the number of users. For detailed requirements, or for requirements for other platforms, see the Oracle Fusion Middleware Installation Guide for that platform.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

Configuring virtual servers (IP addresses and host names) on physical machines enables you to efficiently move the services from one configured environment to another. A virtual IP address is an unused IP Address, which belongs to the same subnet as the host's primary IP address. It is assigned to a host manually and Oracle WebLogic Managed servers are configured to listen on this IP Address. In the event of the failure of the node where the IP address is assigned, the IP address is assigned to another node in the same subnet, so that the new node can take responsibility for running the managed servers assigned to it. You must configure several virtual servers and associate ports on the load balancer for different types of network traffic and monitoring. These virtual servers should be configured to the appropriate real hosts and ports for the services running. Also, the load balancer should be configured to monitor the real host and ports for availability so that the traffic to these is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers. Ensure that the virtual server names are associated with IP addresses and are part of your DNS. The computers on which Oracle Fusion Middleware is running must be able to resolve these virtual server names.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

Several virtual servers and associated ports must be configured on the load balancer for different types of network traffic and monitoring. These should be configured to the appropriate real hosts and ports for the services running. Also, the load balancer should be configured to monitor the real host and ports for availability so that the traffic to these is stopped as soon as possible when a service is down. This ensures that incoming traffic on a given virtual host is not directed to an unavailable service in the other tiers. There are two load balancer devices in the recommended topologies. One load balancer is set up for external HTTP traffic and The other load balancer is set up for internal LDAP traffic You may choose to have a single load balancer device due to a variety of reasons. While this is supported, you should consider the security implications of doing this and if found appropriate, open up the relevant firewall ports to allow traffic across the various DMZs. It is worth noting that in either case, it is highly recommended to deploy a given load balancer device in fault tolerant mode.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

Configuring the Load Balancers (continued)

The procedures for configuring a load balancer differ, depending on the specific type of load balancer. Refer to the vendor supplied documentation for actual steps. The following steps outline the general configuration flow: Create a pool of servers. This pool contains a list of servers and the ports that are included in the load balancing definition. For example, for load balancing between the web hosts you create a pool of servers which would direct requests to WEBHOSTs on port 7777. Create rules to determine whether or not a given host and service is available and assign it to the pool of servers described above. Create a Virtual Server on the load balancer. This is the address and port that receives requests used by the application. For example, to load balance Web Tier requests you would create a virtual host for sso.mycompany.com:80. If your load balancer supports it, specify whether or not the virtual server is available internally, externally or both. Ensure that internal addresses are only resolvable from inside the network. Configure SSL Termination, if applicable, for the virtual server. Tune the time out settings. This includes time to detect whether a service is down.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

It is important to set up your file system in a way that makes the enterprise deployment easier to understand, configure, and manage. Use this as a reference to help understand the directory variables used in the installation and configuration procedures. Other directory layouts are possible and supported, but the model adopted here is chosen for maximum availability, providing both the best isolation of components and symmetry in the configuration and facilitating backup and disaster recovery. Oracle Fusion Middleware 11g enables you to configure multiple component instances from a single binary installation. This allows you to install binaries in a single location on a shared storage and reuse this installation for the servers in different nodes. When an ORACLE_HOME (product binary location) or a WL_HOME (WebLogic binary location) is shared by multiple servers in different nodes, keep the Oracle Inventory and Middleware home lists in those nodes updated for consistency in the installations and application of patches. To update the oraInventory in a node and attach an installation in a shared storage to it, use ORACLE_HOME/oui/bin/attachHome.sh. To update the Middleware home list to add or remove a WL_HOME, edit the file beahomelist located in a directory called bea in the users home directory, for example: /home/oracle/bea/beahomelist. You can mount shared storage either exclusively or shared. If you mount it exclusively, it will be mounted to only one host at a time. (This is typically used for active/passive failover).

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

Oracle recommends also separating the domain directory used by the WebLogic Administration Server from the domain directory used by managed servers. This allows a symmetric configuration for the domain directories used by managed servers and isolates the failover of the Administration Server. The domain directory for the Administration Server must reside in shared storage to allow failover to another node with the same configuration. The managed servers' domain directories can reside in local or shared storage. It is recommended to place managed server directories onto local storage. Placing managed server directories in shared storage can have adverse performance impact. The configuration steps provided in this Enterprise Deployment Topology assume that a local domain directory for each node is used for each managed server.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

The slide depicts the folder structure for Web Tier and Directory Tier using two different machines. In the classroom environment you may see that the two tiers are configured in a single machine and the MW_HOME (/u01/app/oracle/product/fmw) for all the tiers is the same. The individual product binaries (ORACLE_HOME) such as web, idm, and oud are under MW_HOME.

Similarly, in a single machine environment, the instance root is common to all the system components. The ORACLE_INSTANCEs ohs1, oud1, oid1, and ovd1 are configured within /u01/app/oracle/admin folder.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

The slide shows the folder hierarchy of Application Tier, with split domain where OAM and OIM components are configured in separate domain and on different machines. Notice that the AdminServer and Managed Servers of the same domain are also separated, to enable easy porting of servers, and also to enable locating AdminServers and JMS Tlogs in shared storage while locating Managed Servers in local storage.

Oracle Access Manager 11g R2: Advanced Administration 4 - <#>

The installation procedure consists of these steps: Install the database binaries and create one (OIDDB) database Configure second (OIMDB) database using DBCA Create ODS schema in OIDDB Create OAM, OIM, and SOA schema in OIMDB Install Web Tier Install JRockit JDK Install WebLogic Server Install OID and OVD (from Oracle Identity Management Suite) Install SOA Install OAM and OIM (from Oracle Identity and Access Management Suite) Apply necessary patches to the installed components

Fusion Applications: Install and Configure Identity Management 3 - 17

Although it is possible to combine the installation and configuration operations of some of the Identity Management components, it is recommended to separate installation and configurations into distinct operations for easier management, patching, and for implementing high availability. Install the database components. Install the Oracle Web Tier component. Install Oracle WebLogic Server. In 64-bit environments, you should install the 64-bit JDK before installing Oracle WebLogic Server. When you install Oracle WebLogic Server, you also create a Middleware home. All the subsequent components are installed in the same Middleware home. Note that even though Oracle Entitlement Server (OES) is used in authorization management, you do not need to install and configure OES separately as with other identity and access management components. This is because Fusion Applications provisioning process includes the installation and configuration of OES.

Fusion Applications: Install and Configure Identity Management 4 - 18

To see all certified databases or to check if your database is certified, refer to the "Certified Databases" section in the Certification Document at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion -certification-100350.html

The database that is used to store the metadata repository should be highly available. For maximum availability, you are recommended to use Oracle Real Application Clusters (RAC) databases. Ideally the database should use Oracle Automatic Storage Management (ASM) for storage of data. However, this is not mandatory or essential. If you set up ASM, ASM should be installed into its own Oracle home and have two disk groups: One for the database files One for the Flash Recovery Area

Fusion Applications: Install and Configure Identity Management 3 - 19

You can set the database initialization parameters after you have created the database, but before creating OID related schema in the database.

Fusion Applications: Install and Configure Identity Management 3 - 20

You can set the database initialization parameters after you have created the database, but before creating related schema in the database. If you plan to setup separate databases for OAM and OIM schema, then each database should have the same initialization parameters, except open_cursors parameter. The open_cursor parameter can be 800 in each database.

Fusion Applications: Install and Configure Identity Management 3 - 21

If you are using a RAC database, you need to run RCU from only one instance of the RAC database. If your topology requires more than one database, the following important considerations apply: Be sure to install the correct schemas in the correct database. You might have to run the RCU more than once to create all the schemas for a given topology.

Fusion Applications: Install and Configure Identity Management 3 - 22

Before configuring the Oracle HTTP Server in a machine, you should have already installed the Oracle Web Tier in the machine. Ensure that port you intend to use for OHS instance is not in use by any other component. In the practice we intend to configure Oracle HTTP Server on port 7777, you must ensure that port 7777 is not used by any other service on the nodes. To check if this port is in use, run the following command before installing Oracle HTTP Server. You must free the port if it is in use.
netstat -an | grep 7777

Create a file containing the ports used by Oracle HTTP Server. You can use the staticports.ini file provided in the Web Tier installation media (on Disk1 of the installation media, under /stage/Response/ folder) to set up OHS and OPMN for OHS instance in specific folders. In the practice for this lesson, you use the starticports.ini file to assign your selected port to the OHS components that you configure. This will help you to make sure that there are no port conflicts when you need to fail the OHS components over to another machine. Use the Configuration Assistant from WEB_ORACLE_HOME for configuring the OHS instance. Note that the Web Tier Configuration Wizard is different from the Fusion Middleware Domain Configuration Wizard. Fusion Applications: Install and Configure Identity Management 5 - 23

Before starting to implement your Identity Management topology, you must determine whether to create a single domain topology or split domain topology. For a single domain topology, create one WebLogic domain, often referred to as IDMDomain. For a split domain topology, you must create two domains. Specifically: - A domain for most components, including directories, the HTTP server, Oracle Access Manager, Fusion Middleware Control, and WebLogic console. This is called IDMDomain. - A domain for Oracle Identity Manager components, including OIM managed servers and separate WebLogic console and Fusion Middleware Control. This is called OIMDomain. In the practice, you create a single domain topology and configure all the Java components to run in IDMDomain.

Fusion Applications: Install and Configure Identity Management 5 - 24

Run the Domain Configuration Wizard from the Oracle Common home directory to create a domain that contains only the WebLogic Administration Server. The Administration Server runs the Fusion Middleware Control and the WLS Administration Console. Later you extend this domain to configure managed servers in clusters for other Identity Management components. You should disable host name verification because you may not have configured the server certificates. You will receive errors when managing the different WebLogic Servers with host name verification enabled and certificates not configured. To avoid these errors, disable host name verification while setting up and validating the topology, and enable it again after your Identity Management topology configuration is complete. In your environment, Oracle WebLogic Server may be fronted by multiple OHS that are in turn fronted by a load balancer. The load balancer usually performs SSL translation. For the internal loopback URLs to be generated with the https prefix, Oracle WebLogic Server must be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in.

Fusion Applications: Install and Configure Identity Management 5 - 25

If you intend to separate your identity and policy information, you must create two highly available instances of directory. These instances can coexist on the same nodes or can exist on separate nodes. The data, however, must be stored in two separate databases.

Fusion Applications: Install and Configure Identity Management 5 - 26

If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes, the OID Monitor on the node that is behind stops all servers on its node. To correct this problem, synchronize the time on the node that is behind in time. The OID Monitor automatically detects the change in the system time and starts the Oracle Internet Directory servers on its node.

Fusion Applications: Install and Configure Identity Management 5 - 27

The WLS Domain Configuration Wizard (config.sh) is available in MW_HOME/oracle_common/common/bin. After configuring OAM in the WLS domain, by default, the IAM Suite Agent provides single sign-on capability for administration consoles. In enterprise deployments, WebGate handles single sign-on, so you must remove the IAM Suite Agent. Log in to the WebLogic console by using the URL: http://admin:7001/console Select Security Realms from the Domain Structure menu and click myrealm. Click the Providers tab, and then click Lock & Edit from the Change Center. From the list of authentication providers, select IAMSuiteAgent and click Delete. Click Yes to confirm the deletion. Click Activate Changes from the Change Center. Restart WebLogic Administration Server and all managed servers.

Fusion Applications: Install and Configure Identity Management 5 - 28

To configure OAM to work with OHS, edit the OHS configuration file and add the OAM-related configuration.
<Location /oam> SetHandler weblogic-handler WebLogicCluster <oamhost1>:<oam_port>,<oamhost2>:<oam_port> </Location> <Location /fusion_apps> SetHandler weblogic-handler WebLogicCluster <oamhost1>:<oam_port>,<oamhost2>:<oam_port> </Location>

To enable access to the OAM Administration console, add the following lines also to the OHS configuration file. Note that OAM console also runs within WLS Admin Server.
<Location /oamconsole> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location>

To configure OAM with SIMPLE security mode, use an external LDAP, and to create an external WebGate, create an OAM property file, and using that file as input, run idmConfigTool in configOAM mode. Validate the OAM configuration as follows: Access the OAM console at: http://adminhost:7001/oamconsole. Log in as the Oracle Access Manager Admin User (oamadmin with password: Welcome1). Click the System Configuration tab, and expand Access Manager Settings > SSO Agents > OAM Agents. Click the open folder icon, and then click Search. You should see the WebGate agent Webgate_IDM.

Update the new WebGate agent. Click the Webgate_IDM agent in the result of the previous search step. Select Open from the Actions menu and update the following information: - Deny if not Protected: Deselect. - Set Max Connections to 4 for all the Oracle Access Manager servers listed in the primary servers list. Click Apply. Click the Policy Configuration tab and double-click IAMSuiteAgent in Host Identifiers. Click + in the Operations box. Enter the following information: - Host Name: adminhost.example.com - Port: 7777 Click Apply. Fusion Applications: Install and Configure Identity Management 5 - 29

Fusion Applications: Install and Configure Identity Management 5 - 30

Summary
A summary list appears at the end of each course, unit, module, and lesson. You can format the summary slide in two ways. For example, you can summarize the lesson or unit in a short paragraph, or you can simply restate the objectives. Whichever format you choose, use it consistently for every lesson and unit in your course. If you decide to simply restate the objectives, try not to repeat them verbatim. Use the following guidelines for the bulleted list: Begin the summary list with this introduction: In this lesson, you should have learned how to: Under this introduction, create list items that are sentence fragments beginning with imperative (action) verbs. Do not use end punctuation. If the summary covers only one topic, incorporate that topic in the In this lesson sentence. Do not create a one-bullet list. For example: In this lesson, you should have learned how to define a parameter. [Note the end punctuation.] not In this lesson, you should have learned how to: - Define a parameter Oracle Access Manager 11g R2: Advanced Administration 4 - 31