IDM Integration

Topology
This is a split-domain integration (that is, OAM-OAAM components on one domain and OIMSOA components in another domain).

Prerequisite: OAM/OIM/OAAM setup should be ready and started.

STEP 1- Configuring a OUD Server Instance: OUD2

You will use this new OUD server instance as the LDAP repository for the OAM-OIM integration use case.

STEP 2- Preconfiguring OUD for LDAP Synchronization

1. cd $OUD_HOME/bin ./ldapmodify -h oam01.example.com -p 1389 -D cn=Directory Manager w Welcome1 -c f OUDContainers.ldif dn:cn=oracleAccounts,dc=example,dc=com changetype:add cn:oracleAccounts objectClass:top objectClass:orclContainer dn:cn=Users,cn=oracleAccounts,dc=example,dc=com changetype:add cn:Users objectClass:top objectClass:orclContainer dn:cn=Groups,cn=oracleAccounts,dc=example,dc=com changetype:add cn:Groups objectClass:top objectClass:orclContainer dn:cn=Reserve,cn=oracleAccounts,dc=example,dc=com changetype:add cn:Reserve objectClass:top objectClass:orclContainer 2. Configure OIM proxy users and ACIs to communicate with OUD after installing OUD. 1. cd $OUD_HOME/bin ./ldapmodify -h oam01.example.com -p 1389 -D cn=Directory Manager w Welcome1 -c -f oudadmin.ldif dn: cn=systemids,dc=example,dc=com changetype: add objectclass: orclContainer objectclass: top cn: systemids dn: cn=oimAdminUser,cn=systemids,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson

mail: oimAdminUser givenname: oimAdminUser sn: oimAdminUser cn: oimAdminUser uid: oimAdminUser userPassword: Welcome1 dn: cn=oimAdminGroup,cn=systemids,dc=example,dc=com changetype: add objectclass: groupOfUniqueNames objectclass: top cn: oimAdminGroup description: OIM administrator role uniquemember: cn=oimAdminUser,cn=systemids,dc=example,dc=com dn: cn=oracleAccounts,dc=example,dc=com changetype: modify add: aci aci: (target = "ldap:///cn=oracleAccounts,dc=example,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=example,dc=com");) dn: cn=oimAdminUser,cn=systemids,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset 3 Configure the changelog on OUD server: Create a replication server a. First create a pwd.txt file in the $OUD_HOME/bin directory containing Welcome1, which is cn=Directory Managers password. cd $OUD_HOME/bin ./dsconfig -h oam01.example.com -p 4444 -D cn=Directory Manager j pwd.txt -X -n createreplication-server --provider-name 'Multimaster Synchronization' --set replication-port:8989 --set replication-server-id:1 --type generic b. Create a replication domain using dsconfig command ./dsconfig -h oam01.example.com -p 4444 -D cn=Directory Manager j pwd.txt -X -n createreplication-domain --provider-name 'Multimaster Synchronization' --set basedn:dc=example,dc=com set replication-server:oam01.example.com:8989 --set server-id:1 -type generic --domain-name dc=example,dc=com c. Add the following global-aci to changelog node in OUD.

./dsconfig set-access-control-handler-prop --add globalaci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow(read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=oimAdminGroup,cn=systemids,dc=example,dc=com\";)"\ --hostname oam01.example.com --port 4444 --trustAll --bindDN "cn=Directory Manager" -bindPasswordFile pwd.txt --no-prompt d. Remove the following global-aci from the changelog node in OUD. ./dsconfig set-access-control-handler-prop --remove globalaci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" --hostname oam01.example.com --port 4444 --trustAll --bindDN "cn=Directory Manager" --bindPasswordFile pwd.txt --no-prompt e. Use the following command to configure OUD password policy (for example, 5 failures locks the account): ./dsconfig -h oam01.example.com -p 4444 -D "cn=Directory Manager" -j pwd.txt -X -n setpassword-policy-prop --policy-name 'Default Password Policy' --set lockout-failure-count:5

STEP 3- Configuring OIM Server and Design Console

a. On the oam01 machine, open a Terminal window.

b. Navigate to the $IAM_HOME/bin directory. To do this, enter the following command at the prompt: cd $IAM_HOME/bin > ./config.sh

c. In the WebLogic Admin Server dialog box, configure the parameters for connecting to the Oracle WebLogic Admin Server as an administrator by doing the following: a. In the WebLogic Admin Server URL field, enter t3://oam01.example.com:7001. The URL component t3 signifies the use of the WebLogic Server RMI protocol, which is used to communicate between applications using the WebLogic framework. b. In the UserName field, enter weblogic. c. In the Password field, enter Welcome1. d. Click Next.

d. In the OIM Server dialog box, configure the password for the Oracle Identity Manager administrator, the URL used to access the Oracle Identity Manager web-based console, and the password for the Oracle Identity Manager database keystore, by doing the following: a. In the OIM Administrator Password and Confirm Password fields, enter Welcome1. b. In the OIM HTTP URL field, leave the default value that is presented. It should read http://oam01.example.com:14000. c. In the KeyStore Password and Confirm KeyStore Password fields, enter Welcome1.

d. Make sure that the Enable LDAP Sync check box is selected. LDAP Synchronization (LDAP Sync) is required if you are integrating Oracle Identity Manager with other Oracle Identity and Access Management products, such as Oracle Access Manager. Click Next. e. Enter the details as follow.

f.

On the LDAP Server Continued page, enter the following information, and then click next: LDAP RoleContainer: cn=Groups,cn=oracleAccounts,dc=example,dc=com LDAP RoleContainer Description: This is the container where groups and roles are stored LDAP UserContainer: cn=Users,cn=oracleAccounts,dc=example,dc=com LDAP UserContainer Description: This is the container where users are stored User Reservation Container: cn=Reserve,cn=oracleAccounts,dc=example,dc=com

g. On the OIM Server host and port screen, enter the following, and then click Next. In the OIM Server Hostname field, enter oam01.example.com. In the OIM Server Port field, enter 14000. h. In the Configuration Summary dialog box, click Configure. Note: This step may take a few minutes to complete. i. In the Configuration Progress dialog box, you can monitor the progress of the configuration. After the configuration process is complete, click Next.

Note: Restart Everything..

STEP 4- Running the LDAP Post-Configuration Utility

1. On the oam01 machine terminal window, set up the following environment variables: export APP_SERVER=weblogic echo $JAVA_HOME to make sure it is pointing to the jrockit JDK (/u01/app/oracle/product/jrockit-jdk) echo $MW_HOME (make sure it is pointing to /u01/app/oracle/product/fmw) export OIM_ORACLE_HOME=$IAM_HOME export WL_HOME=$WLS_HOME export DOMAIN_HOME=$DOMAIN_BASE/oim_soa_domain echo $<VARIABLE_NAME> to make sure they all got set correctly. 2. Edit ldapconfig.props file under $IAM_HOME/server/ldap_config_util and set the following values, and then save the file. OIMProviderURL=t3://oam01.example.com:14000 LIBOVD_PATH_PARAM=/u01/app/oracle/admin/domains/oim_soa_domain/config/fmwcon fig/ovd/oim 3. In the terminal window where you had set environment variables, run the following command: cd $IAM_HOME/server/ldap_config_util ./LDAPConfigPostSetup.sh $IAM_HOME/server/ldap_config_util When prompted enter Welcome1, the password for xelsysadm (OIM admin user).

4. Log in to OIM Self service console (http://oam01.example.com:14000/identity) as xelsysadm/Welcome1. In the Password Management window, register the challenge questions, and then click Submit.

5. Click Users under the Administration section. Click the Create icon in the right pane to create a new user as shown in the following screenshot, and then click Submit.

The password is Welcome1 6. Log in to ODSM (You can either use oam01.example.com:7001/odsm or oam02.example.com:7001/odsm to log in to the oud2 OUD server instance) and validate the creation of Vishal Parashar under the cn=Users container.

STEP 5- Setting the oamEnabled Parameter for the Identity Virtualization Library (libOVD)
1. Log in to FMW Control (http://oam01.example.com:7001/em) as weblogic/Welcome1. 2. Navigate to WebLogic Domain > oim_soa_domain > oim_server1. Right-click the node and select System MBean Browser. In the System MBean Browser, expand the nodes as shown below to finally get to the changelog node.

3. Click the Changelog node and, in the right pane, select the Operations tab. Click the removeParam link (with the Return Type of Boolean). 4. Enter oamEnabled in the text box and click Invoke.

5. Click Return. On the Operations tab, click the link for addParam. Using the Edit (pencil) icon, enter oamEnabled for Param Name and true for Param Value. Click Invoke

6. Navigate to the UserManagement node as shown in the following screenshot:

7. Click the UserManagement node and click the Operations tab in the right pane. Click the removeParam link. 8. Enter oamEnabled in the Value text field and click Invoke. 9. Click Return. Click the addParam link on the Operations tab. Using the Edit (pencil) icon, enter oamEnabled for Param Name and true for Param Value. Click Invoke. 10. Restart the WLS Admin, SOA, and OIM servers.

STEP 6- PostOIM Design Console Configuration Tasks

1. On the oam01 machine, navigate to the $WLS_HOME/server/lib directory. 2. Run the following command to create the wlfullclient.jar file: $JAVA_HOME/bin/java -jar wljarbuilder.jar 3. Copy the wlfullclient.jar file to the $IAM_HOME/designconsole/ext directory: cp wlfullclient.jar $IAM_HOME/designconsole/ext 4. Start the Design Console client by running xlclient.sh, which is available in the $IAM_HOME/designconsole directory. cd $IAM_HOME/designconsole ./xlclient.sh 5. Log in using xelsysadm/Welcome1 & Exit.

STEP 7- Preconfiguring the Identity Store In this, we will configure OUD before starting the integration tasks. 1. Set ORACLE_HOME to IAM_HOME. export ORACLE_HOME=$IAM_HOME 2. The idmConfigTool uses a properties file for input. Here is the OUDConfigPropertyFile for this environment: IDSTORE_HOST: oam01.example.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_KEYSTORE_FILE: /u01/app/oracle/admin/oud_instances/oud2/OUD/config/adminkeystore IDSTORE_KEYSTORE_PASSWORD: IiaMP20LxP1FY0Y26T1VW0YYL4b3jq8PmGMjThOACJL7pHj3Cj IDSTORE_BINDDN: cn=Directory Manager IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com IDSTORE_SEARCHBASE: cn=oracleAccounts,dc=example,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_NEW_SETUP: true POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com 3. Copy the value in admin-keystore.pin file and use that to modify the existing value for the IDSTORE_KEYSTORE_PASSWORD property in OUDConfigPropertyFile: a. Do the following: cd $OUD_BASE/oud2/OUD/config/ more admin-keystore.pin b. Copy this value c. Edit OUDConfigPropertyFile.txt and update the value for the IDSTORE_KEYSTORE_PASSWORD property. d. Edit ConfigPropertyFile.txt and update the value for the IDSTORE_KEYSTORE_PASSWORD property. (You will be using this file) e. Save the files. 4. Execute the idmConfigTool.sh -preConfigIDStore using the OUDConfigPropertyFile as the input file. (Be sure to execute this on the same terminal window where the environment variable was set.) cd $IAM_HOME/idmtools/bin ./idmConfigTool.sh -preConfigIDStore input_file=OUDConfigPropertyFile.txt When prompted, enter the ID store Bind DN password, Welcome1 (cn=Directory Managers password). Sample for OUDConfigPropertyFile IDSTORE_HOST: oam01.example.com

IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_KEYSTORE_FILE: /u01/app/oracle/admin/oud_instances/oud2/OUD/config/adminkeystore IDSTORE_KEYSTORE_PASSWORD: HMFUtW7X1GWPWJR4FFwK5FPDcC6RL0Z31U42kP2F663PfXC9OK IDSTORE_BINDDN: cn=Directory Manager IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com IDSTORE_SEARCHBASE: cn=oracleAccounts,dc=example,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_NEW_SETUP: true POLICYSTORE_SHARES_IDSTORE: true IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com Sample for ConfigPropertyFile: #COMMON IDSTORE_HOST: oam01.example.com IDSTORE_PORT: 1389 IDSTORE_ADMIN_PORT: 4444 IDSTORE_KEYSTORE_FILE: /u01/app/oracle/admin/oud_instances/oud2/OUD/config/adminkeystore IDSTORE_KEYSTORE_PASSWORD: HMFUtW7X1GWPWJR4FFwK5FPDcC6RL0Z31U42kP2F663PfXC9OK IDSTORE_BINDDN: cn=Directory Manager IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com IDSTORE_SEARCHBASE: cn=oracleAccounts,dc=example,dc=com IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_NEW_SETUP: true POLICYSTORE_SHARES_IDSTORE: true #OIM and OAM and COMMON IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com # OAM OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators IDSTORE_OAMSOFTWAREUSER:oamLDAP IDSTORE_OAMADMINUSER:oamadmin #OIM these user/group were created during ldap sync IDSTORE_OIMADMINUSER: oimAdminUser IDSTORE_OIMADMINGROUP: oimAdminGroup #WebLogic IDSTORE_WLSADMINUSER: weblogic IDSTORE_WLSADMINGROUP: Administrators #OAAM IDSTORE_OAAMADMINUSER: oaamadmin 5.Rebuild indexes

cd $OUD_BASE/oud2/OUD/bin vi pwd.txt Welcome1 (Insert Welcome1 as the password) - Save the file and then execute command down below. ./rebuild-index -h oam01.example.com -p 4444 -D "cn=Directory Manager" -j pwd.txt -X --baseDN dc=example,dc=com --index obid --index oblocationdn --index oblocationname --index oblocationtitle --index obrectangle --index obdirectreports --index obindirectmanager --index obuseraccountcontrol --index obobjectclass --index obparentlocationdn --index obgroupcreator -index obgroupsubscriptiontype --index obgroupdynamicfilter --index obgroupexpandeddynamic -index obgroupadministrator --index obgroupsubscriptionfilter --index obgrouppuredynamic --index obgroupsubscribemessage --index obgroupunsubscribemessage --index obgroupsubscribenotification --index orclImpersonationGranter --index orclImpersonationGrantee

STEP 8 - Preparing the ID Store for WLS 1. Make sure that you are on the oam01 machine. Set ORACLE_HOME to IAM_HOME. export ORACLE_HOME=$IAM_HOME cd $IAM_HOME/idmtools/bin 2. The next step will be second time that idmConfigTool is run in this environment. Append the following to the automation.log ($IAM_HOME/idmtools/bin) for a visual clue of when the logging starts for the next step: ######################################################### Begin idmConfigTool.sh -prepareIDStore mode=WLS input_file=ConfigPropertyFile.txt ######################################################### 3. Run the idmConfigTool with the -prepareIDStore option in WLS mode When prompted enter the cn=Directory Managers password, Welcome1 followed by weblogic users password, Welcome1.

STEP 9 - Preparing the ID Store for OAM 1. When the idmConfigTool processes, it appends entries to an existing automation.log. Append the following to the automation.log for a visual clue of when the logging starts in the next step: ######################################################### Begin idmConfigTool.sh -prepareIDStore mode=OAM input_file=ConfigPropertyFile.txt ######################################################### 2. Make sure that you are on the oam01 machine. Set ORACLE_HOME to IAM_HOME. export ORACLE_HOME=$IAM_HOME 4. Execute the following command from the $IAM_HOME/idmtools/bin directory. You will be prompted for cn=Directory Managers password (Welcome1) and then prompted to set the LDAP password for three usersoblixanonymous, oamadmin, and oamLDAP that will be created in the ID store. Set all the passwords to Welcome1.

STEP 10 - Preparing the ID Store for OIM 1. When the idmConfigTool processes, it appends entries to an existing automation.log. Append the following to the automation.log for a visual clue of when the logging starts in the next step: ######################################################### Begin idmConfigTool.sh -prepareIDStore mode=OIM input_file=ConfigPropertyFile.txt ######################################################### 2. Make sure that you are on the oam01 machine. Set ORACLE_HOME to IAM_HOME. export ORACLE_HOME=$IAM_HOME 3. Execute the following command from the $IAM_HOME/idmtools/bin directory. You will be prompted for cn=Directory Managers password (Welcome1) and then prompted to set the password for the xelsysadm user that will be created in the ID store. Set the password to Welcome1.

STEP 11- Running idmConfigTool with the configOAM Option 1. On the oam02 machine, log in to OAM Console (http://oam02.example.com:7001/oamconsole). Navigate to Policy Configuration >Application Domain. Search and open the OAMApplication application domain. Click the Resources tab. Click Search. 2. Edit each of the resources and change HostIdentifier from mywebgatehost to IAMSuiteAgent. Click Apply.

3. Search on HostIdentifiers (Policy Configuration > Shared Components) and delete mywebgatehost. You will be using the new WebGate 11gWebG_IDM_11gregistered with the OAM 11g Server. This WebGate has IAMSuiteAgent as the hostidentifier. 1. Make sure that the oam02 machine, oam_oaam_domain is up (that is, Admin Server, oam_server1, oaam_server_server1, and oaam_admin_server1 servers are running), because ConfigOAM step is executed on the oam_oaam_domain. 2. Navigate to the oam02 machine, and then, in a terminal window, set the ORACLE_HOME environment variable: export ORACLE_HOME=$IAM_HOME 3. Open file in vi and copy paste the contents as shown down below. configOAMPropertyFile.txt on the oam02 machine. # WLS connection info WLSHOST: oam02.example.com WLSPORT: 7001 WLSADMIN: weblogic # ID Store Configuration Parameters OAM11G_IDSTORE_NAME: OUD_Store IDSTORE_HOST: oam01.example.com IDSTORE_PORT: 1389 IDSTORE_BINDDN: cn=Directory Manager IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_SEARCHBASE: dc=example,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin IDSTORE_DIRECTORYTYPE: OUD OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators POLICYSTORE_SHARES_IDSTORE: true SPLIT_DOMAIN: true ##########OIM identity Integration Parameters OAM11G_OIM_OHS_URL:http://oam01.example.com:7777/ OAM11G_OIM_INTEGRATION_REQ: true ######WebGate Definition Information ACCESS_GATE_ID: WebG_IDM WEBGATE_TYPE: ohsWebgate10g PRIMARY_OAM_SERVERS: oam02.example.com:5575 OAM11G_WG_DENY_ON_NOT_PROTECTED: false OAM_TRANSFER_MODE: open OAM11G_OAM_SERVER_TRANSFER_MODE:open OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgibin/logout.pl OAM11G_OIM_WEBGATE_PASSWD: Welcome1 COOKIE_DOMAIN: .example.com # session configuration COOKIE_EXPIRY_INTERVAL: 120 # hostidentifier OAM11G_IDM_DOMAIN_OHS_HOST:oam01.example.com OAM11G_IDM_DOMAIN_OHS_PORT:7777 OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http # Access Manager Login OAM11G_SERVER_LBR_HOST:oam01.example.com OAM11G_SERVER_LBR_PORT:7777 OAM11G_SERVER_LBR_PROTOCOL:http 4. Execute the idmConfigTool -configOAM input_file=configOAMPropertyFile.txt command from the $IAM_HOME/idmtools/bin directory. Note: Be sure to run this command on the same terminal window where the environment variable (ORACLE_HOME) was set. cd $IAM_HOME/idmtools/bin 5. Navigate to $DOMAIN_BASE/oam_oaam_domain/output. Notice the two new WebGate directories (WebG_IDM_11g and WebG_IDM) created as part registration of new 11g and 10g WebGates when you run the configOAM command. Transfer the ObAccessClient.xml and cwallet.sso files from WebGate 11g directory (WebG_IDM_11g) to the oam01 machines OHS instance directory ($OHS_BASE/oam_oaam_ohs/config/OHS/ohs1/webgate/config). cd $DOMAIN_BASE/oam_oaam_domain/output/WebG_IDM_11g

sftp oam01.example.com When prompted enter yes. When prompted for oracle user password, enter oracle. cd /u01/app/oracle/admin/ohs_instances/oam_oaam_ohs/config/OHS/ohs1 /webgate/config put * exit 6. Move to the oam01 machine. You also need to modify the OHS instance mod_wl_ohs.conf found in the $OHS_BASE/oam_oaam_ohs/config/OHS/ohs1 directory with a set of location containers for all the URIs pertaining to OIM and OAM products. For convenience you can use the output down below directory. Use this file to replace the original mod_wl_ohs.conf. SAMPLE FILE mod_wl_ohs.conf # NOTE : This is a template to configure mod_weblogic. LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so" # This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level <IfModule weblogic_module> # WebLogicHost <WEBLOGIC_HOST> # WebLogicPort <WEBLOGIC_PORT> # Debug ON # WLLogFile /tmp/weblogic.log # MatchExpression *.jsp </IfModule> # <Location /weblogic> # SetHandler weblogic-handler # PathTrim /weblogic # ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/ # </Location>

<Location /console/oam_domain> SetHandler weblogic-handler WebLogicHost oam02.example.com WebLogicPort 7001 PathTrim /oam_domain WLCookieName jsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/admin_component.log" </Location> <Location /console/oim_domain> SetHandler weblogic-handler WebLogicHost oam01.example.com WebLogicPort 7001

PathTrim /oim_domain WLCookieName jsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/admin_component.log" </Location>

<Location /soa-infra> SetHandler weblogic-handler WLCookieName soajsessionid WebLogicHost oam01.example.com WebLogicPort 8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log" </Location> <Location /soa/composer> SetHandler weblogic-handler WLCookieName soajsessionid WebLogicHost oam01.example.com WebLogicPort 8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log" </Location> <Location /integration/worklistapp> SetHandler weblogic-handler WLCookieName soajsessionid WebLogicHost oam01.example.com WebLogicPort 8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log" </Location> <Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /sysadmin> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /admin> SetHandler weblogic-handler

WebLogicHost oam01.example.com WebLogicPort 14000 WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # oim self and advanced admin webapp consoles(canonic webapp) <Location /oim> SetHandler weblogic-handler WebLogicHost oam01.example.com WebLogicPort 14000 WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # SOA Callback webservice for SOD - Provide the SOA Managed Server Ports <Location /sodcheck> SetHandler weblogic-handler WebLogicHost oam01.example.com WebLogicPort 14000 WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # Callback webservice for SOA. SOA calls this when a request is approved/rejected # Provide the SOA Managed Server Port <Location /workflowservice> SetHandler weblogic-handler WebLogicHost oam01.example.com WebLogicPort 14000 WLCookieName oimjsessionid WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # xlWebApp - Legacy 9.x webapp (struts based) <Location /xlWebApp> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # Nexaweb WebApp - used for workflow designer and DM <Location /Nexaweb> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com

WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # used for FA Callback service. <Location /callbackResponseService> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> # spml xsd profile <Location /spml-xsd> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /HTTPClnt> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost oam01.example.com WebLogicPort 14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location>

<IfModule weblogic_module> <Location /oam> SetHandler weblogic-handler WLCookieName jsessionid WebLogicHost oam02.example.com WebLogicPort 14100 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oam_component.log" </Location> </IfModule> <IfModule weblogic_module> <Location /oamconsole> SetHandler weblogic-handler WLCookieName jsessionid WebLogicHost oam02.example.com WebLogicPort 7001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/admin_component.log"

</Location> <Location /oaam_admin> SetHandler weblogic-handler WLCookieName jsessionid WebLogicHost oam02.example.com WebLogicPort 14200 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oaamadmin_component.log" </Location>

</IfModule>

cd $OHS_BASE/oam_oaam_ohs/config/OHS/ohs1 mv mod_wl_ohs.conf mod_wl_ohs.conf.backup cp mod_wl_ohs.conf . 7. Open and review the file. Notice the 13 new location containers added to the original file. more mod_wl_ohs.conf 8. Stop the OHS instance. cd $OHS_BASE/oam_oaam_ohs/bin ./opmnctl stopall (If the OHS instance is already running) 9. Restart oam_server1 and AdminServer on oam_oaam_domain on the oam02 machine (Shut down oam_server1 followed by AdminServer. Start AdminServer followed by oam_server1.) Start OHS instance oam_oaam_ohs on the oam01 machine: cd $OHS_BASE/oam_oaam_ohs/bin ./opmnctl startall 10. Validate the results of the configOAM command and perform some post-configuration tasks: a. Log in to OAM console at http://oam02.example.com:7001/oamconsole. Notice the redirect to the OAM server login page on port 7777 through the OHS proxy server. Expected results: You should see Forgot Password, Register New Account, and Track User Registration links on the OAM login page. b. Attempt to log in using the WLS users weblogic/Welcome1 credentials. Expected results: Access Denied: Access to administration console is restricted, because OAM has been reconfigured to work with the OUD_Store instead of WLS embedded LDAP as part of configOAM and the weblogic user is not a member of the OAMAdministrators LDAP group in the OUD directory. Clear cookies or close your browser. c. Attempt to log in to http://oam02.example.com:7001/oamconsole as the oamadmin/Welcome1 user.

Expected Results: You should be able to log in to the oamconsole. This validates that the OUD ID Store is configured now as the system ID Store, because the oamadmin user only exists in the OUD LDAP directory and the system ID store is used for the OAM console. d. Navigate to System Configuration tab > Common Configuration > Data Sources. Double-click OUD_Store (which was created with the configOAM command). Note the following: The store type is OUD with an OUD_Store Store Name. Location and Credentials section: The Location and Credentials point to the OUD directory on the oam01.example.com LDAP port 1389. The bind DN and password correspond to the oamLDAP (IDSTORE_OAMSOFTWAREUSER) that was created in the previous OAM prepareIDStore practice exercise. OUD_Store is configured as both Default and System Store. Access System Administrators section: Members of the OAMAdministrators group in OUD can access the OAM console. Users and Groups section: The User Search Base and the Group Search Base reflect their respective DNs in the OUD directory. Important note on User Name Attribute: This attribute is used by OAM to search for users in the LDAP directory by creating a search filter like (cn=<LoginID>)(objectclass=person). The configOAM script populates this value based on the IDSTORE_USERNAMEATTRIBUTE property. In addition, it uses IDSTORE_USERNAMEATTRIBUTE (cn), IDSTORE_OAMSOFTWAREUSER: oamLDAP, and IDSTORE_SYSTEMIDBASE:cn=systemids,dc=example,dc=com to formulate a bind DN (cn=oamLDAP, cn=systemids,dc=example,dc=com) to bind and validate the Identity Store properties. Because we specified two different attributes for the IDSTORE_USERNAMEATTRIBUTE and IDSTORE_LOGINATTRIBUTE properties, we need to change this User Name Attribute manually.

e. Change User Name Attribute to uid. f. Click Apply. Notice that the configOAM command also updated the LDAP AuthN module definition to point to OUD_Store instead of WLS Embedded LDAP:

Notice that OIMScheme (which protects OIM Resources) and OAMAdminConsoleScheme (which protects OAM Console) both use LDAP module, which in turn is using the underlying OUD_Store definition

Go to Policy Configuration tab > Shared Components > Host Identifiers. Search and open IAMSuiteAgent host identifier. Make sure you can see oam01.example.com and 7777 entry. If this entry is not present, create this entry. Click Apply.

When OIM is integrated with OAM, the OIM application manages Identity Management (password reset, forgot password, self-service registration, and so on.). Edit the TAPResponseOnlyScheme under Policy Configuration > Authentication Schemes and set Challenge Parameters: MatchLDAPAttribute=uid. Then click Apply.

Now you will validate a few property settings in the oam-config.xml file. This will show that OIM has been integrated to work with OAM to provide Identity and password management capability along with self-service registration flow. OAM configuration information is stored in the $DOMAIN_BASE/oam_oaam_domain/config/fmwconfig/oam-config.xml file on the oam02 machine. Open this file. 1) IdentityManagementService Configuration: Search this file for IdentityManagement. You should see the following section:

2) RegistrationServiceConfiguration: Search this file for "RegistrationServiceConfiguration".

3) OIM-SERVER-1 server definition: Search the file using ServerConfiguration Keyword

WLS Console Validation: 1) Log in to the WLS console (http://oam02.example.com:7001/console) with username/password weblogic/Welcome1. 2) Examine the Security Realm Provider List: From Domain Structure > click Security Realms. Click myrealm. Click the Providers Tab. You should see the following providers in order:

3) Click OUDAuthenticator and then click the Provider Specific tab. Examine the various properties of this authentication provider, notably, host, port, principal, user and group base DN. 4) Modify the following property values (Click Lock and Edit). When done, click Save. Static Group Object Class: groupOfUniqueNames Static Member DN Attribute: uniqueMember Static Group DNs from Member DN Filter: (&(uniqueMember=%M)(objectclass=groupOfUniqueNames))

Delete IAMSuiteAgent provider: When OAM is installed, the IAMSuiteAgent is used for the authentication at the WLS domain level for the IAM Suite application protected resources. The IAMSuite Agent uses the OAM ASDK and, from the OAM perspective, it is another OAM agent like a WebGate. Because this environment uses an OHS11g WebGate, the IAMSuite is no longer necessary. Click the Providers Tab. Select the check box next to the IAMSuiteAgent and click the Delete button to remove this

provider from the security realm. Click Activate Changes. Restart all the servers and OHS:stop oam_oaam_ohs > stop oam_server1 > stop oaam_server_server1 > stop oaam_admin_server1 > stop AdminServer > start Admin Server > start oam_server1 > start oaam_server_server1 > start oaam_admin_server1 > start oam_oaam_ohs.

STEP - Running idmConfigTool with the configOIM Option Important Note: Perform all tasks in this practice on the oam01 machine on the oim_soa_domain unless you are explicitly asked to perform a task on the oam02 machine. 1. vi configOIMPropertyFile.txt ## Access Gate Information ACCESS_GATE_ID: WebG_IDM ACCESS_SERVER_HOST: oam02.example.com ACCESS_SERVER_PORT: 5575 COOKIE_DOMAIN: .example.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: OPEN WEBGATE_TYPE: ohsWebgate10g ### OAM WLS ADMIN Server information OAM11G_WLS_ADMIN_HOST: oam02.example.com OAM11G_WLS_ADMIN_PORT: 7001 OAM11G_WLS_ADMIN_USER: weblogic OAM_SERVER_VERSION: 11g ### OIM WLS domain information WLSHOST: oam01.example.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: oim_soa_domain OIM_MANAGED_SERVER_NAME: oim_server1 DOMAIN_LOCATION: /u01/app/oracle/admin/domains/oim_soa_domain SSO_ENABLED_FLAG: true # ID Store Information IDSTORE_HOST: oam01.example.com IDSTORE_PORT: 1389 IDSTORE_DIRECTORYTYPE: OUD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=systemids,dc=example,dc=com IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com # OIM Database Information MDS_DB_URL: jdbc:oracle:thin:@oam01.example.com:1521:oamdb MDS_DB_SCHEMA_USERNAME: INTEROP2_MDS #### OPSS parameters LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: None

Set the environment variable on the terminal window where you plan to execute idmConfigTool on the oam01 machine: cd $IAM_HOME/idmtools/bin

export ORACLE_HOME=$IAM_HOME

Run the idmConfigTool command as shown below

Restart the oim_soa_domain: a. Stop the WLS servers in the following order: OIM server, SOA server, AdminServer b. Start the WLS servers in the following order: AdminServer, SOA server, OIM server

Validate the configOIM setup: a. Export the MDS Data for OIM: 1) Log in to FMW EM Control (http://oam01.example.com:7001/em) as weblogic/Welcome1. 2) Navigate to WebLogicDomain > oim_soa_domain > oim_server1. Right-click and select System MBean Browser. 3) On the System MBean Browser, select Application Defined MBeans > Oracle.mds.lcm > Server:oim_server1 > Application:OIMAppMetadata > MDSAppRuntime > MDSAppRuntime. 4) Select the Operations tab in the right pane and click the topmost exportMetadata link.

In the toLocation, specify /tmp In the docs field, click the Edit button and then the Add button and enter the complete file location as the Element: /db/oim-config.xml /db/ssointg/EventHandlers.xml Click Invoke. This exports the files specified in the docs field to the directory specified in the toLocation field.

In FMW Control, navigate to WebLogic Domain > oim_soa_domain. Right-click and select Security > Credentials options. Expand the oim node and make sure that you can see SSOAccessKey (it contains the AccessGate password) and OIM_TAP_PARTNER_KEY (it contains the OAM TAP Partner key).

Validate the OIM domain Security Provider Configuration: a. Log in to WLS Console (http://oam01.example.com:7001/console as weblogic/Welcome1) and navigate to Security Realms > myrealm > Providers tab. Observer some of the new security providers that have been configured: Click each of the providers to view the Control Flag settings. Also, view the SSO Mode property of OIMAuthenticationProvider (SSO mode of the OIM Authenticator should be true <ext:ssomode>true</ext:sso-mode>). View the details for OUDAuthenticator The property values should reflect the setting of the OUD directory server instance oud2. You can view

similarproperties for the various providers in ($DOMAIN_BASE/oim_soa_domain/config/config.xml). Search on Provider Names to view the <sec:authentication-provider . </sec:authenticationprovider tags corresponding to each of the providers. c. Click Lock and Edit. Modify the OUD Authenticator. Modify the following property values under the Provide Specific tab (Click Lock and Edit): 1) Static Group Object Class: groupOfUniqueNames 2) Static Member DN Attribute: uniqueMember 3) Static Group DNs from Member DN Filter: (&(uniqueMember=%M)(objectclass=groupOfUniqueNames)) 4) Click Save. 5) Click Activate.

Restart all the servers AdminServer, oim_server1 and soa_server1.

Validate the OAM Partner Registration Configuration: 1) Open the oam-config.xml file from the oam_oaam_domain on the oam02 machine ($DOMAIN_BASE/oam_oaam_domain/config/fmwconfig/oamconfig. xml). 2) Search for OIMPartner in the file. You should see this section from the OIM Partner TAP registration with the TapCipherKea

STEP - Updating SOA Server Default Composites On the oam01 machine, navigate to EM FMW Control (http://oam01.example.com:7001/em). Log in as weblogic/Welcome1. Navigate to SOA > SOA Infra (soa_server1) > Default

Click BeneficiaryManagerApproval and view the Component Metrics on the right:

Modify the ApprovalTask component: a. Click the ApprovalTask link in the Component Metrics table to see its details. b. In the Administration tab of the Approval Task, change the HTTP Port to the OHS proxy port. c. Set HTTP Port to 7777. d. Validate that the Hostname is oam01.example.com. e. Click Apply and click Ok to save the changes. Perform the above steps for all the SOA composites that you see in the left pane. You only need to update the port from 14000 or 8001 to 7777 for Human Workflow component metrics. Notes

 The DefaultSODApproval has two Human Workflow component metrics to be updated. If these composites are not updated correctly, the composite page in the OIM application will open as a blank page. DefaultOperationalApproval and DefaultRequestApproval are two composites that will be used by the self-service registration OIM-OAM validation steps later.

Test your integration and you are through.