Oracle® Fusion Middleware Integration Guide for Oracle Access Manager 11g Release 1 (11.1.1) Part Number E15740-04 |
|
|
PDF · Mobi · ePub |
This chapter explains how to integrate Oracle Access Manager with Oracle Identity Manager.
The instructions in this chapter use Oracle Internet Directory as an example directory server only. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations. For more information, see Section 1.4, "System Requirements and Certification."
If using a different directory server in your environment, you will need to modify the steps accordingly. You can refer to the configuration scenarios described in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for more information.
This chapter contains these sections:
This integration enables you to manage identities with Oracle Identity Manager and control access to resources with Oracle Access Manager.
For more information, see Section 2.3, "Enabling Identity Administration with Oracle Identity Manager".
The high-level integration tasks consist of:
Ensuring that all prerequisites to integration have been met
Configuring the Oracle Access Manager server to integrate with Oracle Identity Manager
Creating the administrative user in the directory server
Configuring the Oracle Identity Manager server to integrate with Oracle Access Manager
Verifying the integration.
Perform the tasks in order, from Section 5.2 through Section 5.5.
Take the following steps to prepare for the integration procedure:
Install and configure required components, which include:
Oracle Database
Directory server (Oracle Internet Directory used as an example)
Oracle WebLogic Server
WebLogic domain with 11g components:
Oracle Access Manager
Oracle Identity Manager
Oracle SOA Suite
See Also:
Oracle Fusion Middleware Installation Guide for Oracle Identity ManagementSet the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
, where Oracle Internet Directory is installed.
Set ORACLE_HOME
to IAM_ORACLE_HOME
, where Oracle Access Manager and Oracle Identity Manager are installed.
Locate the idmConfigTool
utility in the directory:
IAM_ORACLE_HOME/idmtools/bin
You will use this utility in the next few steps to get the identity store ready for the integration.
Create a properties file with contents similar to the following:
IDSTORE_HOST : idstore.mycompany.com
IDSTORE_PORT : 389
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
where:
IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your identity store directory. If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)
IDSTORE_BINDDN Is an administrative user in the identity store directory.
IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.
IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.
IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
Name this file preconfigPropertyFile
or similar as you will use it to preconfigure the identity store in the next step.
Use this properties file to perform general configuration of the identity store with the following command:
idmConfigTool –preConfigIDStore input_file=propertiesFile
Create a second properties file with contents as shown here:
IDSTORE_HOST : idstore.mycompany.com
IDSTORE_PORT : 389
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_SUPERUSER: weblogic_admin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP: OIMAdmins
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdmins
where:
IDSTORE_HOST
and IDSTORE_PORT
are the host and port, respectively, of your identity store directory. If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)
IDSTORE_BINDDN
is an administrative user in the identity store directory.
IDSTORE_USERSEARCHBASE
is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
IDSTORE_SYSTEMIDBASE
is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_SYSTEMIDBASE
is the location in your directory where the Oracle Identity Manager reconciliation user are placed.
IDSTORE_READONLYUSER
is the name of a user you want to create which has Read Only permissions on your Identity Store.
IDSTORE_READWRITEUSER
is the name of a user you want to create which has Read/Write permissions on your identity store.
IDSTORE_SUPERUSER
is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.
IDSTORE_OAMSOFTWAREUSER
is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.
IDSTORE_OAMADMINUSER
is the name of the user you want to create as your Oracle Access Manager Administrator.
IDSTORE_OIMADMINUSER
is the name of the administration user you would like to use to log in to the Oracle Identity Manager console.
IDSTORE_OIMADMINGROUP
is the name of the group you want to create to hold your Oracle Identity Manager administrative users.
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
is the name of the group to hold users who have access to the Oracle Access Manager administration console.
Name this file preparePropertyFile or similar as you will use it to prepare the identity store in the next step.
Use this properties file to perform component-specific configuration of the identity store for integration using the following command:
idmConfigTool -prepareIDStore mode=all input_file=propertiesFile
Perform the following tasks for Oracle Identity Manager:
Configure LDAP synchronization (LDAP sync) in the domain where Oracle Identity Manager runs. Confirm that LDAP sync is operational before continuing.
Note:
When loading schemas as part of this step, first load the Oracle Access Manager schema and then load the Oracle Identity Manager schema.For information about configuring LDAP synchronization, see the following sections in Chapter 15, "Configuring Oracle Identity Manager", in Oracle Fusion Middleware Installation Guide for Oracle Identity Management: "Completing the Prerequitistes for Enabling LDAP Synchronization", "Running the LDAP Post-Configuration Utility", and "Verifying the LDAP Synchronization".
Using Oracle Directory Services Manager, configure the Oracle Virtual Directory adapters created in Step 8a to set the oamEnabled
parameter to true
.
In the domain running Oracle Identity Manager, execute the Oracle Identity Manager configuration wizard with the LDAP sync option enabled.
Notes:
These instructions assume that your directory server is Oracle Internet Directory. If using a different directory server, additional configuration may be required; see the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for details.
Before proceeding to the next step, ensure that an Oracle Identity Manager administrator account exists in the directory and is enabled.
Verify that the WebLogic managed servers for Oracle Access Manager and Oracle Identity Manager are shut down.
Restart the Oracle WebLogic Server Administration Server.
See Also:
Starting or Stopping the Oracle Stack in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.Configure logout for the IDM domain agent. For details, see Configuring Centralized Logout for the IDM Domain Agent in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Take these steps to integrate Oracle Access Manager with Oracle Identity Manager and the directory server:
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
, where Oracle Internet Directory is installed.
Set ORACLE_HOME
to IAM_ORACLE_HOME
, where Oracle Access Manager and Oracle Identity Manager are installed.
Update the domain agent password as follows:
Log in to the Oracle Access Manager console:
http:oam_admiserver_host:port/oamconsole
Navigate to the system configuration tab, then Access Manager Settings, then SSO Agents.
Double-click "OAM Agents", which opens a Webgate page on the right.
Click Search to list all webgate agents including "IAMSuiteAgent
".
Double-click it to edit the IAMSuiteAgent
agent. Update the field "Access Client Password
" with the desired password.
Log in to the Oracle WebLogic Server console:
http:oam_adminserver_host:port/console
Navigate to Security Realms, then myrealm. Open the providers tab and edit IAMSuiteAgent
.
Open the Provider Specific tab and update the agent password. Save the changes.
Restart the Oracle Access Manager managed server.
You will use the updated password in Step 4 below.
Create a properties file with the following contents:
WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_USERSEARCHBASE: cn=Users,mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_OAMSOFTWAREUSER: oamLDAP IDSTORE_OAMADMINUSER: oamadmin PRIMARY_OAM_SERVERS: oamhost1.mycompany.com:5575,oamhost2.mycompany.com:5575 WEBGATE_TYPE: ohsWebgate10g ACCESS_GATE_ID: IAMSuiteAgent COOKIE_DOMAIN: .us.oracle.com OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators OAM_TRANSFER_MODE: OPEN OAM11G_SSO_ONLY_FLAG: true OAM11G_OIM_INTEGRATION_REQ: true OAM11G_OIM_OHS_URL:https://sso.mycompany.com:443/ COOKIE_EXPIRY_INTERVAL: 120
Where:
WLSHOST
and WLSPORT
are, respectively, the host and port of your administration server, this will be the virtual name.
WLSADMIN
is the WebLogic administrative user you use to log in to the WebLogic console.
IDSTORE_HOST
and IDSTORE _PORT
are, respectively, the host and port of your Identity Store directory.
Note:
If using a directory server other than Oracle Internet Directory, specify the Oracle Virtual Directory host and port.IDSTORE_BINDDN
is an administrative user in Oracle Internet Directory.
Note:
If using a directory server other than Oracle Internet Directory, specify an Oracle Virtual Directory administrative user.IDSTORE_USERSEARCHBASE
is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
IDSTORE_OAMSOFTWAREUSER
is the name of the user you use to interact with LDAP.
IDSTORE_OAMADMINUSER
is the name of the user you use to access your Oracle Access Manager console.
PRIMARY_OAM_SERVERS
is a comma-separated list of your Oracle Access Manager servers and the proxy ports they use.
Note:
To determine the proxy ports your Oracle Access Manager servers use:Log into the Oracle Access Manager console at http://admin.mycompany.com:7001/oamconsole
Click the System Configuration tab.
Expand Server Instances under the Common Configuration section
Click on an Oracle Access Manager server, such as WLS_OAM1, and click Open.
Proxy port is shown as Port.
WEBGATE_TYPE
is the type of WebGate agent you want to create.
ACCESS_GATE_ID
is the name you want to assign to the WebGate. Do not change the property value shown above.
COOKIE_DOMAIN
is the domain in which the WebGate functions.
OAM_TRANSFER_MODE
is the security model in which the access servers function.
OAM11G_SSO_ONLY_FLAG
determines whether Oracle Access Manager is used in authentication-only mode.
OAM11G_OIM_OHS_URL
is the URL of the load balancer fronting the Oracle HTTP servers.
Name this file OAMconfigPropertyFile
or similar as you will use it to configure Oracle Access Manager in the next step.
Configure Oracle Access Manager using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME/idmtools/bin
The command syntax is as follows:
idmConfigTool –configOAM input_file=propertiesFile
Integrate Oracle Identity Manager with Oracle Access Manager by performing the following steps:
On the machine where Oracle WebLogic Server and Oracle Identity Manager Server are installed, create the wlfullclient.jar
file as follows:
Navigate to the MW_HOME/wlserver_10.3/server/lib
directory.
Set your JAVA_HOME
to MW_HOME/jdk160_18
and ensure that your JAVA_HOME/bin
directory is in your path.
Create the wlfullclient.jar
file by running:
java -jar wljarbuilder.jar
Verify that the jar file was created.
Set the environment variables: MW_HOME
, JAVA_HOME
, IDM_HOME
and ORACLE_HOME
.
Set IDM_HOME
to IDM_ORACLE_HOME
, where Oracle Internet Directory is installed.
Set ORACLE_HOME
to IAM_ORACLE_HOME
, where Oracle Access Manager and Oracle Identity Manager are installed.
Create a properties file with contents as in the following:
LOGINURI: /${app.context}/adfAuthentication LOGOUTURI: /oamsso/logout.html AUTOLOGINURI: /obrar.cgi ACCESS_SERVER_HOST: OAMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: IAMSuiteAgent COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: SIMPLE WEBGATE_TYPE: javaWebgate SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.mycompany.com IDSTORE_DIRECTORYTYPE: OID IDSTORE_ADMIN_USER: oamdmin. Note that the entry contain the complete LDAP DN of the user (the username alone in insufficient). IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:@DBHOST:PORT:SID MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDM_Domain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
Notes:
The ACCESS_SERVER_PORT must be the Oracle Access Manager NAP port.
If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE
to SIMPLE
. Otherwise set OAM_TRANSFER_MODE
to OPEN
.
Set WEBGATE_TYPE
to javaWebgate
if using a domain agent; set it to ohsWebgate10g
if using a 10g WebGate.
Set IDSTORE_PORT
to your Oracle Internet Directory port.
Set IDSTORE_HOST
to your Oracle Internet Directory host or load balancer name.
MDS_DB_URL in this case represents a single instance database. The string following the '@
' symbol must have the correct values for your environment. SID must be the actual SID, not a service name.
The value of IDSTORE_ADMIN_USER
must contain the complete LDAP DN of the user. The entry should be similar to "cn=oamadmin,cn=Users,dc=us,dc=oracle,dc=com" instead of just "oamadmin".
Name this file OIMconfigPropertyFile
or similar as you will use it to configure Oracle Identity Manager in Step 4.
Change location to: IAM_ORACLE_HOME
/server
cd IAM_ORACLE_HOME/server
Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool
, which is located at:
IAM_ORACLE_HOME
/idmtools/bin
The syntax of the command is
idmConfigTool -configOIM input_file=propertiesFile
where propertiesFile
is the file you set up in Step 2.
When the command executes you will be prompted for:
Access Gate Password
Single Sign-On (SSO) Keystore Password
Global Passphrase
Idstore Admin Password
MDS Database schema password
Admin Server User Password
Password to be used for Oracle Access Manager administrative user
Check the log file for errors and correct them if necessary.
Restart the Oracle Identity Manager managed server and the WebLogic Administration Server.
The final task is to verify the integration by performing, in order, the steps shown in Table 5-1:
Table 5-1 Verifying Oracle Access Manager-Oracle Identity Manager Integration
Step | Description | Expected Result |
---|---|---|
1 |
Access the Oracle Access Manager Administration Console using the URL: http://admin_server_host:admin_server_port/oamconsole |
Provides access to the console. The credential collector URL should be the Oracle Access Manager Managed Server URL. |
2 |
Access the Oracle Identity Manager administration page with the URL: http://oimhost:oimport/admin/faces/pages/Admin.jspx |
The Oracle Access Manager login page from the Oracle Access Manager managed server should appear. Check that the links for "Forgot Password", "Self Register" and "Track Registration" appear on the login page. |
3 |
Log in as an Oracle Identity Manager administrator (the user referred to in Step 6 of Section 5.2). |
The Oracle Identity Manager Admin Page should be accessible. |
4 |
Create a new user on the Oracle Identity Manager Admin Page. Close the browser and try accessing the Oracle Identity Manager Admin Pages. When prompted for login, provide valid credentials for the newly-created user. |
You should be redirected to Oracle Identity Manager and required to reset the password. |
5 |
Close the browser and access the Oracle Identity Manager Admin Page. |
The Oracle Access Manager login page from the Oracle Access Manager managed server should come up. Verify that the links for "Forgot Password", "Self Register" and "Track Registration" are available in the login page. Check that each link works. |
6 |
To check that lock/disable works, open a browser and log in as a test user. In another browser session, log in as xelsysadm and lock the test user account. Click the Logout link on the OIM console. |
The user must be logged out and redirected back to the login page. |
To test SSO logout, log in to the Oracle Identity Manager console as test user/xelsysadm. |
Upon logout from the page, it must redirect to the SSO logout page. |
This section describes additional configuration that you may need to perform depending on your requirements.
Perform this task by following the instructions in Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for OAM in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Next, complete the configuration by performing these actions:
Take these steps to update the Webgate Type and WebGate ID using Oracle Enterprise Manager Fusion Middleware Control:
Navigate to Identity and Access, then OIM, then oim(11.1.1.3.0).
Right-click on oim (11.1.1.3.0) and select System Mbean Browser.
Navigate to Application Defined Mbeans, then oracle.iam, then Server: oim_server1, then Application:oim, then XMLConfig, then Config, then XMLConfig.SSOConfig, then SSOConfig.
This step is required to redirect users to the Oracle Access Manager login page for Oracle Identity Manager if they type in a URL of the form:
http://OHS_HOST:OHS_PORT/admin/faces/pages/Admin.jspx
Take these steps to set the preferred Webgate host:
Log in to the Oracle Access Manager console, Click on System Configuration, and navigate to Access Manager Settings, then SSO Agents, then OAM Agent.
Click the Search button. A list of WebGate IDs appears. Open the one registered in WebGate.
Update the Preferred Host field and set it to IAMSuiteAgent.
Click Apply.
Restart Oracle HTTP Server.
Note:
This step is needed if WebGate is configured in simple mode.Follow the instructions in Creating Oracle Identity Manager SSO Keystore in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, configuration is required to enable loading of the NexaWeb Applet. The steps are as follows:
Log in to the Oracle Access Manager Console.
Create a new Webgate ID. To do so:
Click the System Configuration tab.
Click 10Webgates, and then click the Create icon.
Specify values for the following attributes:
Name: NAME_OF_NEW_WEBGATE_ID
Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT
Host Identifier: IAMSuiteAgent
Click Apply.
Edit the Webgate ID, as shown:
set 'Logout URL' = /oamsso/logout.html
Deselect the Deny On Not Protected checkbox.
Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.
Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.
Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:
/xlWebApp/.../*
/xlWebApp
/Nexaweb/.../*
/Nexaweb
Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:
/xlWebApp/.../*
/xlWebApp
/Nexaweb/.../*
/Nexaweb
Restart all the servers.
Update the obAccessClient.xml file in the second Webgate. To do so:
Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.
Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.
Note:
Ensure that the DenyOnNotProtected parameter is set to 0.Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.
Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.
Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:
<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>
Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.
Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.
Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:
http://SECOND_OHS_HOST:SECOND_OHS_PORT/admin/faces/pages/Admin.jspx