OIM OAM OID 11g Integration 1

SSO Integration: OIM OAM SOA OID OHS
(ver.11gR2PS1)
SSO Integration: OIM OAM SOA OID OHS ................................. 1

(ver.11gR2PS1) ....................................................... 1
1.
Integration Roadmap ........................................... 4
2.
Environment Variables: ........................................ 4
3.
Populate Schema via RCU ....................................... 5
4.
Install WebLogic Server ....................................... 6
5.
Install OIAM Suite ............................................ 8
6.
Install SOA .................................................. 10
7.
Install IDM Suite ............................................ 11
8.
Patching ..................................................... 14
9.
Configure OID and OVD Instances .............................. 15
10.
Install and Configure Web Tier - OHS ......................... 20
11.
Installing Web Gate .......................................... 23
12.
Configure OIM and OAM components ............................. 25
13.
Configure Database Security Store ............................ 29
14.
Start Node, Admin and Managed Servers ........................ 29
15.
Configure OHS Admin File: .................................... 30
16.
Prepare Identity Store ....................................... 33
17.
Configure OIM with Ldapsync .................................. 36
18.
Create JAR File .............................................. 41
19.
Run POST LDAP Sync ........................................... 42
20.
Configuring OAM for Integration .............................. 43
21.
Configure OAM via Idm Tool ................................... 44
22.
Configure OIM via IdmTool .................................... 45
23.
Configuring Centralized Logout for the IAMSuiteAgent" ........ 49
24.
Remove Default Domain Agent .................................. 49
25.
Confirm Webgate Type and ID .................................. 49
26.
Increase number of Web Gate connections: ..................... 50
27.
Create an OAM 11g Web Gate Instance .......................... 51
28.
Registering OID with the WLS Domain .......................... 52
29.
Enable WLS Plugin & Update OHS FrontEnd ...................... 53
30.
Updating SOA Server Default Composite ........................ 54
31.
Verify OIM OAM OID Integration ............................... 54
32.
Start and Stop Sequence ...................................... 58
33.
References: .................................................. 59
34.
Notes: ....................................................... 59
1.
-
Integration Roadmap
Install OIM, OIM, OID, SOA OHS and OAM Webgate and configure
prior to integration.
Enable LDAP synchronization for Oracle Identity Manager.
Configure the Identity Store by extending the schema.
Configure the Identity Store with the users required by Access
Manager.
Configure the Identity Store with the users required by Oracle
Identity Manager.
Configure the Identity Store with the users required by Oracle
WebLogic Server
Edit the OIM URL and OVDLib Parameter so the oamEnabled parameter
is set to true.
Extend Access Manager to support Oracle Identity Manager
Integrate Access Manager and Oracle Identity Manager
Configure the Webgate on the OHS server to point to the 11g OAM
Server
Configure centralized logout for the IAMSuiteAgent.
Remove the IDM Domain Agent and start the Oracle WebLogic Server
Administration and Managed Servers.
Test the integration.
Depending upon your environment, update the SOA server default
composites.
2.
Environment Variables:
$ export ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1
$ BIN_HOME=/appl/binaries
$ export $HOSTNAME=server1.us.oracle.com
$ export IAM_HOME=$ORACLE_HOME
$ export JAVA_HOME=$BIN_HOME/jdk/jdk1.6.0_25
$ export IDM_HOME=/appl/oracle/fmw-idm/Oracle_IDM1
$ export MW_HOME=/appl/oracle/fmw
$ export DOMAIN_HOME=/appl/oracle/fmw/user_projects/domains/base_domain
$ export WT1_INSTANCE_HOME= /appl/oracle/fmw-web/Oracle_WT1/instances/instance1
$ export OHS_COMPONENT_NAME=ohs1
$ export OID_ORACLE_INSTANCE=/appl/oracle/fmw-idm/asinst_1
3.
Populate Schema via RCU
$ $BIN_HOME/rcu/rcu_11.1.2.1.0/rcuHome/bin/rcu
4.
Install WebLogic Server
$ java -jar $BIN_HOME/wls/wls1036_generic.jar
5.
Install OIAM Suite
$ cd $BIN_HOME/oiam-r2ps1/11.1.2.1.0/Disk1/
$. /runInstaller -jreLoc $BIN_HOME/jdk/jdk1.6.0_25/
6.
Install SOA
$BIN_HOME/soa-1.6/soa_11.1.1.6.0/Disk1/runInstaller -jreLoc $BIN_HOME/jdk/jdk1.6.0_25/
7.
Install IDM Suite
$ $BIN_HOME/idm-oid/Disk1/runInstaller
8.
Patching
# OIM Bundle Patching:

$ export ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1/; echo $ORACLE_HOME
$ $ORACLE_HOME/OPatch/opatch lsinv
$ $ORACLE_HOME/OPatch/opatch apply -silent -force $BIN_HOME/bundle-patchoim/11.1.2.1.0_bp8/drop2/18818451
$ $ORACLE_HOME/OPatch/opatch apply -silent -force /appl/binaries/idmtoolpatch/17008132
# OAM Bundle Patching

$ export ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1/; echo $ORACLE_HOME
$ $ORACLE_HOME/OPatch/opatch apply
integ/18138998/OAM/18123471
-silent -force $BIN_HOME/patch-oam-oim-
$ $ORACLE_HOME/OPatch/opatch apply
integ/18138998/OAAM/17564520
-silent -force $BIN_HOME/patch-oam-oim-
# SOA Patching
$ export ORACLE_HOME=/appl/oracle/fmw/Oracle_SOA1/;echo $ORACLE_HOME
$ $ORACLE_HOME/OPatch/opatch apply -silent -force $BIN_HOME/soa_patch/13973356
# IDM Patching
$ export ORACLE_HOME=$IDM_HOME/;echo $ORACLE_HOME

$ $IDM_HOME/OPatch/opatch apply -silent -force $BIN_HOME/oid-patch/18686783
$ $IDM_HOME/OPatch/opatch lsinv
9.
Configure OID and OVD Instances
$ $IDM_HOME/bin/config.sh
10.
Install and Configure Web Tier - OHS
$ $BIN_HOME/webtier11g/Disk1/runInstaller
11.
$
Installing Web Gate
$BIN_HOME/webgate11g/Disk1/runInstaller -jreLoc $BIN_HOME/jdk/jdk1.6.0_25/
12.
Configure OIM and OAM components
$ /appl/oracle/fmw/Oracle_IDM1/common/bin/config.sh
13.
Configure Database Security Store
$ export MW_HOME=/appl/oracle/fmw;
$ export ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1;
$ export DOMAIN_HOME=/appl/oracle/fmw/user_projects/domains/base_domain/
$ $MW_HOME/oracle_common/common/bin/wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py d $DOMAIN_HOME -c IAM -p Welcome1 -m create
14.
Start Node, Admin and Managed Servers
Initially perform a manual start and then copy over boot.properties within respective
Managed Server Security folder for auto boot.
$ export WL_HOME=/appl/oracle/fmw/wlserver_10.3
$ nohup $WL_HOME/server/bin/startNodeManager.sh > /tmp/nohup-node.out 2>&1 &
$ nohup $DOMAIN_HOME/bin/startWebLogic.sh > /tmp/nohup-wls.out 2>&1 &
$ $DOMAIN_HOME/bin/startManagedWebLogic.sh oam_server1
$ $DOMAIN_HOME/bin/startManagedWebLogic.sh soa_server1
$ $DOMAIN_HOME/bin/startManagedWebLogic.sh oim_server1
15.
Configure OHS Admin File:
# Create a new admin.conf file:

$ export WT1_INSTANCE_HOME=/appl/oracle/fmw-web/Oracle_WT1/instances/instance1
$ export ORACLE_INSTANCE=$WT1_INSTANCE_HOME
$ cat > $ORACLE_INSTANCE/config/OHS/ohs1/moduleconf/admin.conf
# Admin Server and EM

<Location /console>
SetHandler weblogic-handler
WebLogicHost server1.us.oracle.com
WeblogicPort 7001
</Location>
<Location /consolehelp>
WeblogicPort 7001
</Location>
<Location /em>
WeblogicPort 7001
</Location>
<Location /oamconsole>
WeblogicPort 7001
</Location>
# OIM and SOA
<Location /identity>
WLCookieName oimjsessionid
WebLogicPort 14000
WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
<Location /sysadmin>
WebLogicPort 14000
</Location>
<Location /oam>
WLCookieName jsessionid
WebLogicPort 14100
</Location>
<Location /admin>
WebLogicPort 14000
</Location>
# oim self and advanced admin webapp consoles(canonic webapp)
<Location /oim>
WebLogicPort 14000
</Location>
# SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
<Location /sodcheck>
WebLogicPort 8001
</Location>
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
<Location /workflowservice>
WebLogicPort 8001
</Location>
# xlWebApp - Legacy 9.x webapp (struts based)
<Location /xlWebApp>
WebLogicPort 14000
</Location>
# Nexaweb WebApp - used for workflow designer and DM
<Location /Nexaweb>
WebLogicPort 14000
</Location>
# used for FA Callback service.
<Location /callbackResponseService>
WebLogicPort 14000
</Location>
# spml xsd profile
<Location /spml-xsd>
WebLogicPort 14000
</Location>
<Location /HTTPClnt>
WebLogicPort 14000
</Location>
# SOA Infrastructure
<Location /soa-infra>
WebLogicPort 8001
WLLogFile ${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log
</Location>
<Location /soa>
WebLogicPort 8001
</Location>
<Location /integration>
WebLogicPort 8001
</Location>
# Restart OHS:
$ $WT1_INSTANCE_HOME/bin/opmnctl stopall;$WT1_INSTANCE_HOME/bin/opmnctl startall
16.
Prepare Identity Store
# Set environment variables

$ export ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1
# Extending Directory Schema for Access Manager

$ cd /appl/oracle/fmw/Oracle_IDM1/idmtools/bin/
$ cat > extendOAMPropertyFile
IDSTORE_HOST: server1.us.oracle.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
$ ./idmConfigTool.sh -preConfigIDStore input_file=extendOAMPropertyFile

Enter ID Store Bind DN password :
Sep 10, 2014 3:23:32 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/idm_idstore_groups_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/idm_idstore_groups_acl_template.ld
if
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/systemid_pwdpolicy.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/idstore_tuning.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oid_schema_extn.ldif
INFO: -> LOADING: /appl/oracle/fmw/Oracle_IDM1/oam/server/oimintg/ldif/oid/schema/OID_oblix_pwd_schema_add.ldif
INFO: -> LOADING: /appl/oracle/fmw/Oracle_IDM1/oam/server/oimintg/ldif/oid/schema/OID_oim_pwd_schema_add.ldif
INFO: -> LOADING: /appl/oracle/fmw/Oracle_IDM1/oam/server/oimintg/ldif/oid/schema/OID_oblix_schema_add.ldif
INFO: -> LOADING: /appl/oracle/fmw/Oracle_IDM1/oam/server/oimintg/ldif/oid/schema/OID_oblix_schema_index_add.ldif
INFO: -> LOADING:

/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/fa_pwdpolicy.ldif
The tool has completed its operation. Details have been logged to automation.log
# Creating Users and Groups for Access Manager
$ cat >
preconfigOAMPropertyFile
IDSTORE_HOST : server1.us.oracle.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
$ ./idmConfigTool.sh -prepareIDStore mode=OAM input_file=preconfigOAMPropertyFile

*** Creation of oimLDAP ***
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_user_template.ldif
Enter User Password for oimLDAP:
Confirm User Password for oimLDAP:
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_group_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/common/oim_group_member_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_groups_acl_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_reserve_template.ldif
*** Creation of Xel Sys Admin User ***
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/idm_xelsysadmin_user.ldif
Enter User Password for xelsysadm:
Confirm User Password for xelsysadm:
# Creating Users and Groups for Oracle Identity Manager
$ cat > preconfigOIMPropertyFile

IDSTORE_PORT: 3060
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP: OIMAdministrators
$ ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=preconfigOIMPropertyFile

*** Creation of oimLDAP ***
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_user_template.ldif
Enter User Password for oimLDAP:
Confirm User Password for oimLDAP:
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_group_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/common/oim_group_member_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_groups_acl_template.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oim_reserve_template.ldif
*** Creation of Xel Sys Admin User ***
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/idm_xelsysadmin_user.ldif
Enter User Password for xelsysadm:
Confirm User Password for xelsysadm:
# Creating Users and Groups for Oracle WebLogic Server

$ cat > preconfigWLSPropertyFile
IDSTORE_HOST : server1.us.oracle.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_WLSADMINUSER: weblogic_idm
IDSTORE_WLSADMINGROUP: wlsadmingroup
$ ./idmConfigTool.sh -prepareIDStore mode=WLS input_file=preconfigWLSPropertyFile

*** Creation of Weblogic Admin User ***
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/oam_user_template.ldif
Enter User Password for weblogic_idm:
Confirm User Password for weblogic_idm:
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/fa_add_pwdpolicy.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/oid/weblogic_admin_group.ldif
INFO: -> LOADING:
/appl/oracle/fmw/Oracle_IDM1/idmtools/templates/common/group_member_template.ldif
# Validate Users/Groups creation in OID
17.
Configure OIM with Ldapsync
$ /appl/oracle/fmw/Oracle_IDM1/bin/config.sh
# You can also use port 14000 (the direct managed server port)
18.
Create JAR File
$ cd $WL_HOME/server/lib
$ java -jar wljarbuilder.jar
Integrating jar <-(1)/(37365)/(96)//appl/oracle/fmw/modules/com.bea.core.diagnostics.accessor_1.5.0.0.ja
r
Created new jar file: /appl/oracle/fmw/wlserver_10.3/server/lib/wlfullclient.jar
$ java -jar $MW_HOME/modules/com.bea.core.jarbuilder_1.7.0.0.jar
$ cp $WL_HOME/server/lib/wlfullclient.jar $ORACLE_HOME/designconsole/ext/
$ ls -l wlfullclient.jar
-rw-r--r-- 1 gnawaz dba 55004433 Sep 11 06:42 wlfullclient.jar
Restart Admin and Managed Servers after copying the boot.properties file:
#- Shutdown all the servers via console or command line
$ mkdir $DOMAIN_HOME/servers/oam_server1/security
$ mkdir $DOMAIN_HOME/servers/oim_server1/security
$ mkdir $DOMAIN_HOME/servers/soa_server1/security
$ cp $DOMAIN_HOME/servers/AdminServer/security/boot.properties
$DOMAIN_HOME/servers/oam_server1/security/
$DOMAIN_HOME/servers/oim_server1/security/
$DOMAIN_HOME/servers/soa_server1/security/
$ nohup $DOMAIN_HOME/bin/startManagedWebLogic.sh oam_server1 > /tmp/nohup-oam.out 2>&1 &
$ nohup $DOMAIN_HOME/bin/startManagedWebLogic.sh soa_server1 > /tmp/nohup-soa.out 2>&1 &
$ nohup $DOMAIN_HOME/bin/startManagedWebLogic.sh oim_server1 > /tmp/nohup-oim.out 2>&1 &
19.
Run POST LDAP Sync
$ cd /appl/oracle/fmw/Oracle_IDM1/server/ldap_config_util
$ vi ldapconfig.props
OIMProviderURL=t3://server1.us.oracle.com:14000
LIBOVD_PATH_PARAM=/appl/oracle/fmw/user_projects/domains/base_domain/config/fmwconfig/
ovd/oim
# Set required environment variables.

$
$
$
$
$
$
$
$
cd /appl/oracle/fmw/Oracle_IDM1/server/ldap_config_util
export APP_SERVER=weblogic
export JAVA_HOME=$BIN_HOME/jdk/jdk1.6.0_25
export MW_HOME=/appl/oracle/fmw
export OIM_ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1
export WL_HOME=/appl/oracle/fmw/wlserver_10.3
export DOMAIN_HOME=/appl/oracle/fmw/user_projects/domains/base_domain
export
LIBOVD_PATH_PARAM=/appl/oracle/fmw/user_projects/domains/base_domain/config/fmwconfig/ovd/oim
# Update XEL_HOME parameter in the file setEnv.sh.
$ vi /appl/oracle/fmw/Oracle_IDM1/server/bin/setEnv.sh
- Update below line:
XEL_HOME=/appl/oracle/fmw/Oracle_IDM1/server
# Execute the utility LDAPConfigPostSetup.sh
$ cd /appl/oracle/fmw/Oracle_IDM1/server/ldap_config_util
$ ./LDAPConfigPostSetup.sh /appl/oracle/fmw/Oracle_IDM1/server/ldap_config_util
For running the Utilities the following environment variables need to be set
APP_SERVER is weblogic
OIM_ORACLE_HOME is /appl/oracle/fmw/Oracle_IDM1
JAVA_HOME is $BIN_HOME/jdk/jdk1.6.0_25
MW_HOME is /appl/oracle/fmw
WL_HOME is /appl/oracle/fmw/wlserver_10.3
DOMAIN_HOME is /appl/oracle/fmw/user_projects/domains/base_domain
[Enter OIM admin password:]
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider".
OpenJPA will not be used.
Obtained LDAP Connection.....
UsernamePasswordLoginModule.initialize(), debug enabled
UsernamePasswordLoginModule.login(), username xelsysadm
UsernamePasswordLoginModule.login(), URL t3://server1.us.oracle.com:14000
Authenticated with OIM Admin.....
Obtained Scheduler Service.....
Successfully Enabled Changelog based Reconciliation schedule jobs.
Successfully Updated Changelog based Reconciliation schedule jobs with last change
number : 0
20.
Configuring OAM for Integration
1. Set the environment variables required for idmconfigtool.

2. Update the domain agent password as follows:
a. Log in to the Oracle Access Management administration console:
b.
http://oam_adminserver_host:port/oamconsole
c. Navigate to the System Configuration tab, then Access Manager Settings,
then SSO Agents.
Double-click OAM Agents. A Webgate page displays.
Click Search to list all Webgate agents.
Double-click IAMSuiteAgent. Update the field Access Client Password with
the desired password.
d. Log in to the Oracle WebLogic Server administration console:
e.
http:oam_adminserver_host:port/console
f. Navigate to Security Realms, then myrealm. Open the Providers tab and
edit IAMSuiteAgent.
Open the Provider Specific tab and update the agent password. Save the
changes.
# Restart the Admin and Managed Servers.
# OAM Configuration File for Integration

# Source environment variables
$ export BIN_HOME=/appl/binaries
$ export IDM_ORACLE_HOME=$IDM_HOME
$ export IAM_ORACLE_HOME=/appl/oracle/fmw/Oracle_IDM1
$ export ORACLE_HOME=$IAM_ORACLE_HOME
$ export IDM_HOME=$IDM_ORACLE_HOME
21.
Configure OAM via Idm Tool
$ cd /appl/oracle/fmw/Oracle_IDM1/idmtools/bin/
$ cat
> OAMconfigPropertyFile
WLSHOST: server1.us.oracle.com
WLSPORT: 7001
WLSADMIN: weblogic
WLSPASSWD: Welcome1
ADMIN_SERVER_USER_PASSWORD: Welcome1
IDSTORE_PORT: 3060
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_DIRECTORYTYPE: OID
PRIMARY_OAM_SERVERS: server1.us.oracle.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM
OAM11G_IDM_DOMAIN_OHS_HOST:server1.us.oracle.com
OAM11G_IDM_DOMAIN_OHS_PORT:7777
OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http
OAM11G_WG_DENY_ON_NOT_PROTECTED: false
OAM11G_IMPERSONATION_FLAG: false
OAM_TRANSFER_MODE: open
OAM11G_OAM_SERVER_TRANSFER_MODE:open
OAM11G_IDM_DOMAIN_LOGOUT_URLS:
/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp,/oamsso/logout.html,/cgibin/logout.pl
OAM11G_OIM_WEBGATE_PASSWD: Welcome1
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
COOKIE_DOMAIN: .us.oracle.com
OAM11G_IDSTORE_NAME: OID_Store1
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: false
OAM11G_OIM_INTEGRATION_REQ: true
OAM11G_SERVER_LBR_HOST:server1.us.oracle.com
OAM11G_SERVER_LBR_PORT:7777
OAM11G_SERVER_LBR_PROTOCOL:http
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_OIM_OHS_URL:http://server1.us.oracle.com:7777/
SPLIT_DOMAIN: false
$ ./idmConfigTool.sh -configOAM input_file=OAMconfigPropertyFile

Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
Enter User Password for IDSTORE_PWD_OAMADMINUSER:
Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
22.
Configure OIM via IdmTool
$ cat > OIMconfigPropertyFile

LOGINURI: /${app.context}/adfAuthentication
LOGOUTURI: /oamsso/logout.html
AUTOLOGINURI: None
ACCESS_SERVER_HOST: server1.us.oracle.com
ACCESS_SERVER_PORT: 5575
ACCESS_GATE_ID: Webgate_IDM
COOKIE_DOMAIN: .us.oracle.com
COOKIE_EXPIRY_INTERVAL: 120
OAM_TRANSFER_MODE: open
WEBGATE_TYPE: ohsWebgate11g
OAM_SERVER_VERSION: 11g
OAM11G_WLS_ADMIN_HOST: server1.us.oracle.com
OAM11G_WLS_ADMIN_PORT: 7001
OAM11G_WLS_ADMIN_USER: weblogic
SSO_ENABLED_FLAG: true
IDSTORE_PORT: 3060
IDSTORE_DIRECTORYTYPE: OID
IDSTORE_ADMIN_USER: cn=orcladmin
MDS_DB_URL: jdbc:oracle:thin:@localhost:1521:orcl
MDS_DB_SCHEMA_USERNAME: DEV_MDS
WLSHOST: server1.us.oracle.com
WLSPORT: 7001
WLSADMIN: weblogic
DOMAIN_NAME: base_domain
OIM_MANAGED_SERVER_NAME: oim_server1
DOMAIN_LOCATION: /appl/oracle/fmw/user_projects/domains/base_domain
$ ./idmConfigTool.sh -configOIM input_file=OIMconfigPropertyFile

Enter sso access gate password :
Enter mds db schema password :
Enter idstore admin password :
Enter admin server user password :
Enter oam11g domain admin user password :
********* Seeding OAM Passwds in OIM *********
Completed loading user inputs for - CSF Config
Completed loading user inputs for - Dogwood Admin WLS

Connecting to t3://server1.us.oracle.com:7001
Connection to domain runtime mbean server established
Seeding credential :SSOAccessKey
********* ********* *********
********* Activating OAM Notifications *********
Completed loading user inputs for - MDS DB Config

Sep 11, 2014 7:00:03 AM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as JVM flag
"oracle.multitenant.enabled" is not set to enable multitenancy support.
Initialized MDS resources

NOTIFICATION: transfer operation started.
NOTIFICATION: transfer is completed. Total number of documents successfully processed
: 1, total number of documents failed : 0.
Upload to DB completed
Releasing all resources

Notifications activated.
********* ********* *********
********* Seeding OAM Config in OIM *********
Completed loading user inputs for - OAM Access Config

Validated input values
Download from DB completed
Updated /appl/oracle/fmw/Oracle_IDM1/server/oamMetadata/db/oim-config.xml
Upload to DB completed
OAM configuration seeded. Please restart oim server.
********* ********* *********
********* Configuring Authenticators in OIM WLS *********
Completed loading user inputs for - LDAP connection info

Connecting to t3://server1.us.oracle.com:7001
Connection to domain runtime mbean server established
Starting edit session
Edit session started
Connected to security realm.
Validating provider configuration
Validated desired authentication providers
Destroyed Authentication Provider: Security:Name=myrealmOIMAuthenticationProvider
Created OAMIDAsserter successfuly
OAMIDAsserter is already configured to support 11g webgate
Created OIMSignatureAuthenticator successfuly
Created OIDAuthenticator successfuly
Setting attributes for OIDAuthenticator
All attributes set. Configured inOIDAuthenticatornow
LDAP details configured in OIDAuthenticator
Control flags for authenticators set sucessfully
Reordering of authenticators done sucessfully
Saving the transaction
Transaction saved
Activating the changes
Changes Activated. Edit session ended.
Connection closed sucessfully
********* ********* *********
23.
Configuring Centralized Logout for the
IAMSuiteAgent"
To configure logout for the IAMSuiteAgent
1. Log in to the WebLogic Server Administration Console.
2. Navigate to Domain, Deployments, oamsso_logout, Targets.
3. Select all the Servers where the IAMSuiteAgent is enabled
and where logout is performed. For example, oim_server,
oaam_admin, oaam_server, and so on.
4. Click Save.
24.
Remove Default Domain Agent
The IDMDomain Agent provides single sign-on capability for administration consoles.
The Webgate handles single sign-on, so you must remove the IDMDomain Agent and restart
the Oracle WebLogic Server Administration Server and all running Managed Servers.
1. Log in to the WebLogic Server administration console using the URL:
http://admin.mycompany.com/console.
2. Select Security Realms from the Domain Structure menu.
3. Click myrealm.
4. Click the Providers tab.
5. Click Lock and Edit from the Change Center.
6. In the list of authentication providers, select IAMSuiteAgent.
7. Click Delete.
8. Click Yes to confirm the deletion.
9. Click Activate Changes from the Change Center.
10. Restart WebLogic Administration Server and all running Managed Servers.
25.
Confirm Webgate Type and ID, and change
SSOEnabled to true.
Perform these steps to update the Webgate Type and Webgate ID using Oracle Enterprise
Manager Fusion Middleware Control:
1. Navigate to Identity and Access, then OIM, then oim(11.1.1.3.0).
2. Right-click on oim (11.1.1.3.0) and select System Mbean Browser.
3. Navigate to Application Defined Mbeans, then oracle.iam, then Server:
oim_server1, then Application:oim, then XMLConfig, then Config,
then XMLConfig.SSOConfig, then SSOConfig.
4. Change SSOEnabled to true.
26.
Increase number of Web Gate connections:
# Login to /oamconsole and increase number of max connections to 4 for both

Webgates.
# Restart Admin and Managed Servers:

27.
Create an OAM 11g Web Gate Instance
$ cd /appl/oracle/fmw-web/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
$ ./deployWebGateInstance.sh -w $WT1_INSTANCE_HOME/config/OHS/ohs1 -oh
/appl/oracle/fmw-web/Oracle_OAMWebGate1
# Confirm folder creation and copy of files

$ ls -l $WT1_INSTANCE_HOME/config/OHS/ohs1/webgate/tools/openssl/simpleCA/ca*
$ export LD_LIBRARY_PATH=/appl/oracle/fmw-web/Oracle_WT1/lib
$ cd /appl/oracle/fmw-web/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools
# Configure OAM 11g WebGate

$ ./EditHttpConf -w $WT1_INSTANCE_HOME/config/OHS/ohs1 -oh /appl/oracle/fmwweb/Oracle_OAMWebGate1 -o out.log
# Verify that last line of $WT1_INSTANCE_HOME/config/OHS/ohs1/httpd.conf contain the

following
include
"$WT1_INSTANCE_HOME/config/OHS/ohs1/webgate.conf"
# As Webgate is already registered during configOAM, hence next copy the WebGate
artifact files from $DOMAIN_HOME/output/$WEBGATENAME% to
$WT1_INSTANCE_HOME/config/OHS/ohs1/webgate/config
$ cp /appl/oracle/fmw/user_projects/domains/base_domain/output/Webgate_IDM_11g/*
$WT1_INSTANCE_HOME/config/OHS/ohs1/webgate/config/
# Restart OHS:
28.
Registering OID with the WLS Domain
$ export ORACLE_HOME=$IDM_HOME
$ export ORACLE_INSTANCE=$OID_ORACLE_INSTANCE
$ $ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost server1.us.oracle.com adminPort 7001 -adminUsername weblogic
#. Update the Enterprise Manager Repository URL
$ cd $ORACLE_INSTANCE/EMAGENT/EMAGENT/bin
$ ./emctl switchOMS http://server1.us.oracle.com:7001/em/upload
#. Deploy odsm.ear file via weblogic deployment

# Use weblogic Deployment > Install > ( Path Location : $IDM_HOME/ldap/odsm/odsm.ear )
# Choose Install this as an application instead of default library.
# Restart the weblogc Admin Server
/appl/oracle/fmw-ora/user_projects/domains/IAM_IDM_Domain/bin/stopWebLogic.sh
nohup /appl/oracle/fmw-ora/user_projects/domains/IAM_IDM_Domain/bin/startWebLogic.sh
> /tmp/nohup-wl.out 2>&1 &
tail -f /tmp/nohup-wl.out | grep -i RUNNING
# Update OHS to allow /odsm context

vi
$WT1_INSTANCE_HOME/config/OHS/ohs1/moduleconf/admin.conf
# ODSM
<Location /odsm>
WeblogicPort 7001
</Location>
29.
Enable WLS Plugin & Update OHS FrontEnd
#(Click Lock & Edit. Click on <IDMDomain> -> Configuration -> Web Applications, Scroll
down and check Weblogic Plugin Enabled)
# Also: Click on Environment -> Servers -> AdminServer -> Protocols -> HTTP. Change
the Frontend port to 7777. Activate Changes
# Perform same set of action for other Managed Servers.
30.
Updating SOA Server Default Composite
In an integrated environment, Oracle Identity Manager is front ended by OHS. All SOA
server default composites must be updated. Perform the following steps:
There's a bug about self register. Follow the steps below to fix it:
Log in to soa's em
Expand SOA -> soa-infra (<soa server name>) -> default in the left panel.
For DefaultOperationalApproval [2.0] and Oracle SOA CompositeDefaultRequestApproval
[2.0], do the following two steps:
a. double click to open
b. Under the "Component Metrics" section, click "ApprovalTask" and add/update the
following fields:
Under SOA > soa-infra (<soa server name>) > default, there are following OOTB
composites:
DefaultRequestApproval
DefaultOperationalApproval
DefaultRoleApproval,
DefaultSODApproval
BeneficiaryManagerApproval
RequesterManagerApproval
Application
Name
worklist
Host Name
<OHS host name>
HTTP Port
enter OHS HTTP port, default 7777
HTTPS Port
leave it blank
URI
/identity/faces/adf.task-flow?_id=ApprovalTask_TaskFlow&_document=WEBINF/ApprovalTask_TaskFlow.xml
31.
Verify OIM OAM OID Integration
# Verify that login to /identity or /sysadmin URL takes you to the SSO Login page, and
then directly to the OIM identity page without any login to OIM page :
# Login via xelsysadm, and create a new user, verify the user within OID, and login
via newly created user.
# Verify SSO while creating a new user:
http://server1.us.oracle.com:7777/identity
1. Create a new user
2. Verify Users creation within OID:
# Login to http://server1.us.oracle.com:7777/sysadmin/ without any password prompt:
2. Login as newly created user,
# Verify the lock/disable feature works by opening a browser and logging in as a test
user.
The user must be logged out and redirected back to the login page.
3. Verify the SSO logout feature works by logging into Oracle Identity Self
Service as test user or system administrator.
32.
Start and Stop Sequence
# Stop Sequence:
-
Stop Admin and Managed Servers via console.
Stop OHS
$ export WT1_INSTANCE_HOME=/appl/oracle/fmw-web/Oracle_WT1/instances/instance1
$ export OHS_COMPONENT_NAME=ohs1
$ export OID_ORACLE_INSTANCE=/appl/oracle/fmw-idm/asinst_1
$ $WT1_INSTANCE_HOME/bin/opmnctl stopall
Stop OID
$ $OID_ORACLE_INSTANCE/bin/opmnctl stopall
# Start Sequence:
-
Start OID
$ $OID_ORACLE_INSTANCE/bin/opmnctl startall
Start Admin and Managed Servers.
Start OHS
$WT1_INSTANCE_HOME/bin/opmnctl startall
33.
References:
http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oim.htm#CACJDIDD
http://onlineappsdba.com/index.php/2011/11/09/password-policy-in-oam-oim-oidintegration-user-not-locked-after-configured-value/
http://idmexpress.blogspot.in/2014/09/how-user-lock-unlock-functionality.html
http://shahbaz-chaudhry.blogspot.co.uk/2014/09/ldapsync-error-while-configuring-oim.html
http://docs.oracle.com/cd/E40329_01/integration.1112/e27123/app_oid_oim.htm#CHDGDGAJ
34.
Notes:
# OAM password management process:

1. User logs in with username/password.
2. OAM authenticates the user against OID/LDAP
3. OAM validate the password management attributes
4. OAM identify the password management redirect required or not.
5. OAM lower the authentication level.
6. OAM redirect the user to OIM for password management.
7. OIM does the password management operations
8. Redirect the user to OAM with user assertion.
9. OAM validates the assertion and upgrade the session
10. OAM allows resource access.
# Directory attributes for Password Management
obLoginTryCount: Tracks the number of unsuccessful login tries attempted by the

user. Used for number of login tries. The value is reset on successful login.
obLockoutTime: In order to lock an account, obLockoutTime has to be set to a
value in the future. To unlock an account, obLockoutTime must be set to the
current time or a time in the past. In addition, obLoginTryCount should be
reset.
obPasswordChangeFlag: Indicates whether a password needs to be reset during
login. In order to force password change on login, obPasswordChangeFlag must be
set. To reset on password change, obPasswordChangeFlag must be unset.
obUserAccountControl: The flag indicating whether the user is activated.
Possible values include: activated, deactivated. If no value is present,
activated is assumed; deactivated is assumed.

OIM OAM OID 11g Integration 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OIM OAM OID 11g Integration 1

Uploaded by

Copyright:

Available Formats

SSO Integration: OIM OAM SOA OID OHS

SSO Integration: OIM OAM SOA OID OHS ................................. 1

Integration Roadmap ........................................... 4

Environment Variables: ........................................ 4

Populate Schema via RCU ....................................... 5

Install WebLogic Server ....................................... 6

Install OIAM Suite ............................................ 8

Install SOA .................................................. 10

Install IDM Suite ............................................ 11

Configure OID and OVD Instances .............................. 15

Install and Configure Web Tier - OHS ......................... 20

Installing Web Gate .......................................... 23

Configure OIM and OAM components ............................. 25

Configure Database Security Store ............................ 29

Start Node, Admin and Managed Servers ........................ 29

Configure OHS Admin File: .................................... 30

Prepare Identity Store ....................................... 33

Configure OIM with Ldapsync .................................. 36

Create JAR File .............................................. 41

Run POST LDAP Sync ........................................... 42

Configuring OAM for Integration .............................. 43

Configure OAM via Idm Tool ................................... 44

Configure OIM via IdmTool .................................... 45

Configuring Centralized Logout for the IAMSuiteAgent" ........ 49

Remove Default Domain Agent .................................. 49

Confirm Webgate Type and ID .................................. 49

Increase number of Web Gate connections: ..................... 50

Create an OAM 11g Web Gate Instance .......................... 51

Registering OID with the WLS Domain .......................... 52

Enable WLS Plugin & Update OHS FrontEnd ...................... 53

Updating SOA Server Default Composite ........................ 54

Verify OIM OAM OID Integration ............................... 54

Start and Stop Sequence ...................................... 58

Populate Schema via RCU

Install WebLogic Server

$ java -jar $BIN_HOME/wls/wls1036_generic.jar

Install OIAM Suite

$BIN_HOME/soa-1.6/soa_11.1.1.6.0/Disk1/runInstaller -jreLoc $BIN_HOME/jdk/jdk1.6.0_25/

Install IDM Suite

# OIM Bundle Patching:

# OAM Bundle Patching

-silent -force $BIN_HOME/patch-oam-oim-

-silent -force $BIN_HOME/patch-oam-oim-

$ export ORACLE_HOME=$IDM_HOME/;echo $ORACLE_HOME

Configure OID and OVD Instances

Install and Configure Web Tier - OHS

Installing Web Gate

$BIN_HOME/webgate11g/Disk1/runInstaller -jreLoc $BIN_HOME/jdk/jdk1.6.0_25/

Configure OIM and OAM components

Configure Database Security Store

Start Node, Admin and Managed Servers

Configure OHS Admin File:

# Create a new admin.conf file:

# Admin Server and EM

Prepare Identity Store

# Set environment variables

# Extending Directory Schema for Access Manager

$ ./idmConfigTool.sh -preConfigIDStore input_file=extendOAMPropertyFile

INFO: -> LOADING:

# Creating Users and Groups for Access Manager

$ ./idmConfigTool.sh -prepareIDStore mode=OAM input_file=preconfigOAMPropertyFile

# Creating Users and Groups for Oracle Identity Manager

$ cat > preconfigOIMPropertyFile

$ ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=preconfigOIMPropertyFile

***** * *****

* Activating OAM Notifications *

***** * *****

* Seeding OAM Config in OIM *

***** * *****

* Configuring Authenticators in OIM WLS *

***** * *****