Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12035-02 |
|
|
View PDF |
This chapter describes how to configure single sign-on for administration consoles. The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
This chapter includes the following topics:
Section 8.2, "Running the Oracle Access Manager Configuration Tool"
Section 8.3, "Validating the Policy Domain and AccessGate Configurations"
Section 8.5, "Changing the Login Form for the Administration Server"
Section 8.6, "Creating WebLogic Administrative Users in an LDAP Directory"
Section 8.8, "Validate the Oracle Access Manager Single Sign-On Setup"
Make sure that these steps have been performed before moving on to the next section:
Oracle Access Manager has been installed and configured as described in Chapter 7, "Installing and Configuring Oracle Access Manager."
Ensure that the policy protecting the Policy Manager ("/access") has been created and enabled. If this is not enabled, use the Policy Manager console to enable it. Follow the steps below to enable this policy:
Open a web browser and bring up the Policy Manager Console using the following URL:
http://oamadminhost.mycompany.com:7777/access/oblix
Click the Policy Manager link.
On the Policy Manager landing page, click the My Policy Domains link.
On the My Policy Domains page, click the Policy Manager link.
On the General tab on the Policy Manager page, click Modify.
Click Yes to enable the "/access" policy.
Click the Save button to save the changes.
If a WebGate profile was set up manually by following the steps in Section 7.4.3.1, "Creating a WebGate Profile" or if you are planning on using an existing WebGate, make sure that the host identifier has been set up properly. The host identifier value is required for enabling single sign-on.
The Oracle Access Manager Configuration tool (OAM Configuration tool) is a command line utility provided to automatically enable single sign-on with Oracle Access Manager. The OAM Configuration tool runs a series of scripts and sets up the required policies. It requires a set of parameters as inputs. Specifically, the tool creates the following:
A Form Authentication scheme in Oracle Access Manager
Policies to enable authentication in the Oracle WebLogic Server
Optionally, a WebGate profile in Oracle Access Manager to enable Oracle HTTP Server WebGates (from your web tier) to protect your configured applications. When this option is selected a WebGate profile is created for every application configured using the tool.
A host identifier, depending on the scenario you choose. The host identifier is used to configure the WebGate hosts that send requests to your application. When a host identifier is not supplied, a default one is created with the "app_domain" name.
Policies to protect and un-protect application-specific URLs. These policies would be configured for the host identifier created or provided in the previous step.
Note:
If you plan on using an existing WebGate, the host identifier value of this WebGate must be used for theweb_domain
parameter when running the OAM Configuration tool.Before you run the OAM Configuration tool, collect the following information:
LDAP Host: The host name of the Directory Server or a load balancer address (in the case of a high availability or enterprise deployment configuration).
LDAP Port: The port of the Directory Server.
LDAP USER DN: The DN of the LDAP Administrator user. This will be a value such as cn=orcladmin
.
LDAP Password: Password of the LDAP Administrator user.
oam_aaa_host: The host name of an Oracle Access Manager.
oam_aaa_port: The port of an Oracle Access Manager.
The OAM Configuration tool is located in the directory shown below. This tool can be run from any host that has Oracle Fusion Middleware 11g Release 1 installed.
ORACLE_HOME/modules/oracle.oamprovider_11.1.1/
Set the JAVA_HOME value before running the tool as shown below:
export JAVA_HOME=$MW_HOME/jrockit_160_05_R27.6.2-20
The syntax for using the OAM Configuration tool is:
$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE [param=value]...
Table 8-1 shows the basic OAM Configuration tool parameters and their values.
Table 8-1 Basic Parameters for the OAM Configuration Tool
Parameter | Value |
---|---|
app_domain |
Oracle Access Manager policy domain name |
web_domain |
Name of the web domain. If you choose the tool to automatically created a WebGate profile entry, do not pass this parameter. If you manually created a WebGate profile, use the value of the host identifier for that WebGate. Refer to Section 7.4.3.1, "Creating a WebGate Profile" for more information. |
protected_uris |
"uri1,uri2,uri3" |
app_agent_password |
Password to be provisioned for App Agent |
ldap_host |
Host name of LDAP server |
ldap_port |
Port of LDAP server |
ldap_userdn |
DN of LDAP Administrator user |
ldap_userpassword |
Password of LDAP Administrator user |
oam_aaa_host |
Host name of an Oracle Access Manager |
oam_aaa_port |
Port of an Oracle Access Manager |
The OAM Configuration tool has optional parameters that can be used for CREATE mode. Table 8-2 shows those parameters.
Table 8-2 OAM Configuration Tool Optional Parameters for CREATE Mode
Parameter | Value |
---|---|
cookie_domain |
Domain name to use for Single Sign-On cookie |
public_uris |
"uri1,uri2,uri3" |
ldap_base |
Base DN from which all LDAP searches will be done |
oam_aaa_mode |
One of OPEN, SIMPLE, CERT. Defaults to OPEN. |
oam_aaa_passphrase |
Passphrase required for SIMPLE mode |
log_file |
Name of the log file. Defaults to console output |
log_level |
One of ALL, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, OFF. Defaults to OFF. |
output_ldif_file |
Name of the LDIF file to store changes. If specified, will generate LDIF to be loaded later. |
This is an example command for running the OAM Configuration tool when you want the tool to create a WebGate profile:
$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="IDMEDG"
cookie_domain=".mycompany.com"
protected_uris="/em,/console" app_agent_password="welcome1"
ldap_host=oid.us.oracle.com ldap_port=389 ldap_userdn="cn=orcladmin"
ldap_userpassword=password oam_aaa_host=oamhost1.mycompany.com
oam_aaa_port=6023
Note:
Theweb_domain
parameter should not be provided when you use the OAM Configuration Tool to create the WebGate profile.The following output is displayed when the command completes successfully:
Processed input parameters Initialized Global Configuration Successfully completed the Create operation. Operation Summary: Policy Domain : IDMEDG Host Identifier: IDMEDG Access Gate ID : IDMEDG_AG
Note:
The Access Gate ID value above should be used as the WebGate ID when performing the WebGate installation described in Section 7.4.3.3, "Installing the WebGate."This is an example command for running the OAM Configuration tool when you plan on using an existing WebGate:
$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="IDMEDG"
web_domain="idmEDG_WD" cookie_domain=".mycompany.com"
protected_uris="/em,/console" app_agent_password="welcome1"
ldap_host=oid.us.oracle.com ldap_port=389 ldap_userdn="cn=orcladmin"
ldap_userpassword=<password> oam_aaa_host=oamhost1.mycompany.com
oam_aaa_port=6023
The following output is displayed when the command completes successfully:
Processed input parameters Initialized Global Configuration Successfully completed the Create operation. Operation Summary: Policy Domain : IDMEDG Host Identifier: idmedg_wd Access Gate ID : idmedg_wd_AG
To validate that the tool created the policies correctly, run the tool in VALIDATE mode:
java -jar oamcfgtool.jar mode=VALIDATE app_domain="IDMEDG" ldap_host=oid.mycompany.com ldap_port=389 ldap_userdn="cn=orcladmin" ldap_userpassword=welcome1 oam_aaa_host=oamhost1.mycompany.com oam_aaa_port=6023 test_username=orcladmin test_userpassword=welcome1
The output from the VALIDATE command is shown below:
Processed input parameters Initialized Global Configuration Validating app_domain: IDMEDG : OK. Validating web_domain: IDMEDG : OK. Validating access_gate: IDMEDG_AG : OK. Found url:http://IDMEDG/public Found url:http://IDMEDG/em Found url:http://IDMEDG/console Successfully completed the Validate operation
The OAM Configuration Tool uses the value of the app_domain
parameter to create a host identifier for the policy domain. This host identifier must be updated with all the hostnames variations for the host so that the configuration works correctly. Follow the steps below to update the host identifier created by the OAM Configuration Tool:
Navigate to the Access System Console by specifying the following URL in your web browser:
http://hostname:port/access/oblix
where hostname
refers to the host where WebPass Oracle HTTP Server instance is running and port
refers to the HTTP port of the Oracle HTTP Server instance.
For example, enter the following URL in your web browser:
http://oamadminhost.mycompany.com:7777/access/oblix
When prompted for a username and password, log in as an Administrator. Click OK.
On the Access System main page, click the Access System Console link.
On the Access System Console page, click the Access System Configuration tab.
On the Access System Configuration page, click Host Identifiers at the bottom left.
On the List all host identifiers page, click on the host identifier created by the OAM Configuration Tool. For example, select IDMEDG
.
On the Host Identifier Details page, click Modify.
On the Modifying host identifier page, add all the possible hostname variations for the host. Click the plus and minus symbols to add or delete fields as necessary. The Preferred HTTP Host value used in the Access System Configuration must be added as one of the hostname variations. For example: idmedg_wd
, webhost1.mycompany.com:7777
, admin.mycompany.com:7777
Select the check box next to Update Cache and then click Save.
A message box with the following message is displayed: "Updating the cache at this point will flush all the caches in the system. Are you sure?"
Click OK to finish saving the configuration changes.
Verify the changes on the Host Identifier Details page.
The OAM Configuration Tool populates the Preferred_HTTP_Host
and hostname
attributes for the WebGate profile that is created with the value of the app_domain
parameter. Both these attributes must be updated with the proper values for the configuration to work correctly. Follow the steps below to update the WebGate profile created by the OAM CFG Tool.
Navigate to the Access System Console by specifying the following URL in your web browser:
http://hostname:port/access/oblix
where hostname
refers to the host where WebPass Oracle HTTP Server instance is running and port
refers to the HTTP port of the Oracle HTTP Server instance.
For example, enter the following URL in your web browser:
http://oamadminhost.mycompany.com:7777/access/oblix
On the Access System main page, click the Access System Console link, then log in as an Administrator.
On the Access System Console main page, click the Access System Configuration link to display the AccessGates Search page.
Enter the proper search criteria and click Go to display a list of AccessGates.
Select the AccessGate created by the OAM Configuration Tool. For example: IDMEDG_AG
On the AccessGate Details page, select Modify to display the Modify AccessGate page.
On the Modify AccessGate page, update:
Hostname: Update the hostname with the name of the computer where WebGate is running. For example: webhost1.mycompany.com
Preferred HTTP Host: Update the Preferred_HTTP_Host with one of the hostname variations specified in the previous section, for example: admin.mycompany.com:7777
Click Save. A message box with the "Are you sure you want to commit these changes?" message is displayed.
Click OK to finish updating the configuration.
Verify the values displayed on the Details for AccessGate page to confirm that the updates were successful.
The WebGates in the IDM Domain also need to act as delegated authentication WebGates, that is, they receive authentication requests from external applications or domains in the enterprise. To enable delegated authentication, the form authentication scheme created by the OAM Configuration Tool must be modified to add the Challenge Redirect parameter.
Follow the steps below to add the challenge redirect parameter to the Form authentication scheme:
Use a web browser to display the Access Console using the URL below:
http://oamadminhost.mycompany.com:7777/access/oblix
Click the Access System Console link and log in using the credentials for the orcladmin
user.
On the main page, click the Access System Configuration tab.
On the Access System Configuration page, click the Authentication Management link on the left hand side.
On the Authentication Management page, under the List all Authentication Schemes table, click the link for form authentication scheme created by the tool. The form authentication scheme created by the tool is called OraDefaultFormAuthNScheme
.
On the Details for Authentication Scheme page, click Modify to modify the configuration of the authentication scheme.
On the Modifying Authentication Scheme page, update the Challenge Redirect parameter with the Single Sign-On virtual host configured in the load balancer. Use https://sso.mycompany.com
to update the Challenge Redirect parameter.
Click Save to save the updated configuration.
To validate that the configuration was successful, follow the steps below:
Using a web browser, bring up either the Oracle WebLogic Administration Console or Oracle Enterprise Manager Fusion Middleware Control:
URL for the WebLogic Administration Server Console:
http://admin.mycompany.com:7777/console
URL for the Enterprise Manager Oracle Fusion Middleware Control:
http://admin.mycompany.com:7777/em
Log into the console using the administrator
user's credentials.
This will redirect your web browser to http://sso.mycompany.com
during authentication.
The next part of the process is to validate the policy domain configuration and the AccessGate configuration.
Follow these steps to verify that the policy domain was created properly:
In a web browser, enter this URL to access the Oracle Access Manager console:
http://OAMADMINHOST:port/access/oblix
Click Policy Manager.
Click the My Policy Domains link on the left panel. You will see a list of all the policy domains, which includes the domain you just created. For example: IDMEDG
. In the third column, URL prefixes, you will see the URIs you specified when creating the policy domain).
Click the link to the policy domain you just created. This displays the General area of this domain.
Click the Resources tab. On this tab you can see the URIs you specified. Click other tabs to view other settings.
Follow these steps to verify that the AccessGate was configured properly:
In the Oracle Access Manager console, click the Access System Console link. This link is a toggle. When it is the Access System Console link and you click it, it becomes the Policy Manager link. When it is the Policy Manager link and you click it, it becomes the Access System Console link.
Click the Access System Configuration tab.
Click the AccessGate Configuration link on the left panel.
Enter some search criteria and click Go.
When the name of the AccessGate for the domain you created appears (it may have the suffix _AG when created by the OAM Configuration Tool, for example, IDMEDG_AG), click it to view the details of the AccessGate you created.
This section describes the steps for setting up Oracle WebLogic Server authenticators.
Follow these steps to set up the Oracle Internet Directory authenticator:
Begin by backing up these relevant configuration files:
DOMAIN_HOME/config/config.xml DOMAIN_HOME/config/fmwconfig/jps-config.xml DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml
Back up the DOMAIN_HOME
/servers/adminServer/boot.properties
file for the Administrator Server.
Follow these steps to configure the Identity Store to use LDAP, setting the proper authenticator using the WebLogic Administration Server Console:
Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.
Click the Security Realms link on the left navigational bar.
Click the myrealm default realm entry to configure it.
Click the Providers tab within the realm.
Note that there is a DefaultAuthenticator provider configured for the realm.
Click the New button to add a new provider.
Enter a name for the provider, such as "OIDAuthenticator" for a provider that will authenticate the user to the Oracle Internet Directory.
Select the "OracleInternetDirectoryAuthenticator" type from the list of authenticators.
Click OK.
On the Providers screen, click the newly created OIDAuthenticator.
Set the Control Flag to SUFFICIENT. This indicates that if a user can be authenticated successfully by this authenticator, then it is should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT also. In particular, check the DefaultAuthenticator and set that to SUFFICIENT.
Click Save to save this setting.
Click the Provider Specific tab to enter the details for the LDAP server.
Enter the details specific to your LDAP server, as shown in the following table:
Parameter | Value | Description |
---|---|---|
Host | The LDAP server's server ID. For example: oid.mycompany.com |
|
Port | The LDAP server's port number. For example: 636 |
|
Principal | The LDAP user DN used to connect to the LDAP server. For example: cn=orcladmin |
|
Credential | The password used to connect to the LDAP server | |
SSL Enabled | Checked | Specifies whether SSL protocol is used when connecting to LDAP server. |
User Base DN | Specify the DN under which your Users start. For example: cn=users,dc=us,dc=mycompany,dc=com |
|
Group Base DN | Specify the DN that points to your Groups node. For example: cn=groups,dc=us,dc=mycompany,dc=com |
|
Use Retrieved User Name as Principal | Checked | Must be turned on. |
Click Save when done.
Click Activate Changes to propagate the changes.
The console displays a message that a restart is required for the changes to take effect. Do not restart the servers as indicated; this will be done after setting up all the WebLogic Authenticators, as described in Section 8.4.4, "Stop and Start the WebLogic Administration Servers and Managed Servers."
Follow these steps to set up the OAM ID Asserter:
Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.
Navigate to SecurityRealms > Default Realm Name > Providers.
Click New and select OAM Identity Asserter from the drop down menu.
Name the asserter, for example: OAM ID Asserter
Then click OK.
Click the newly-added asserter to see the configuration screen for OAM Identity Asserter.
Set the Control Flag to REQUIRED, and then click Save.
Configure the additional attributes below for the OAM Identity Asserter on the Provider Specific tab:
Application Domain: Provide the Oracle Access Manager policy domain name. Use the app_domain
parameter passed to the OAM Configuration Tool. For example: IDMEDG
.
Primary Access Server: Provide Oracle Access Manager server endpoint information in the host:port format. For example: oamhost1.mycompany.com: 6023
Application Domain: Provide the Oracle Access Manager policy domain name. Use the app_domain
parameter passed to the OAM Configuration Tool. For example: IDMEDG
.
AccessGate Name: Name of the AccessGate (for example, IDMEDG_WD). Use the AccessGate name created by the OAM Configuration Tool or created manually in Section 7.4.3.1, "Creating a WebGate Profile."
AccessGate Password: Password for the AccessGate, if one was provided.
Accept the default values for all the other attributes, unless required for your environment.
Save the settings.
Click Activate Changes to propagate the changes.
Follow the steps below to reorder the providers in the order shown below:
Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.
Navigate to SecurityRealms > Default Realm Name > Providers.
Ensure that the Control Flag for each authenticator is set correctly.
Click Reorder under the Authentication Providers table.
On the Reorder Authentication Providers page, reorder the providers as shown below:
OAM Identity Asserter (REQUIRED) > OID Authenticator (SUFFICIENT) > Default Authenticator (SUFFICIENT) > DefaultIdentityAsserter
Save the settings.
Click Activate Changes to propagate the changes.
The WebLogic Administration Server and the associated Managed Servers must be restarted for the configuration changes to take effect. Follow the steps below to stop and then start the WebLogic Administration Server and the Managed Servers (wls_ods1
and wls_ods2
):
Using the WebLogic Administration Server Console, stop the Administration Server and the wls_ods1
and wls_ods2
Managed Servers.
Verify that the server processes have been successfully stopped.
On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh
script located under the DOMAIN_HOME
/bin
directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile
parameter.
./startWebLogic.sh >logfile 2>&1 &
For example:
./startWebLogic.sh >$DOMAIN_HOME/servers/AdminServer/logs/aserver.out 2>&1 &
Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.
Log into the console using the administrator
user's credentials.
Start the wls_ods1
and wls_ods2
Managed Servers using the WebLogic Administration Console.
To enable the Oracle WebLogic Administration Server Console application to direct login requests to its root, update the web.xml
file by following these steps:
Make a backup copy of the following file:
ORACLE_BASE/fmw/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/web.xml
For example:
cp ORACLE_BASE/fmw/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/web.xml ORACLE_BASE/fmw/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/ web.xml.backup
Edit the web.xml
file and change the form-login-page
URL to "/".
Specifically, change:
login-config> <auth-method>CLIENT-CERT,FORM</auth-method> <form-login-config> <form-login-page>/login/LoginForm.jsp</form-login-page> <form-error-page>/login/LoginError.jsp</form-error-page> </form-login-config> </login-config>
to:
<login-config> <auth-method>CLIENT-CERT,FORM</auth-method> <form-login-config> <form-login-page>/</form-login-page> <form-error-page>/login/LoginError.jsp</form-error-page> </form-login-config> </login-config>
Restart the Administration Server.
Validate that the changes made were successful by bringing up the Administration Server Console.
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.
By default, when the Oracle WebLogic Server is installed and configured, the WebLogic admin user is created in its local LDAP store with the username weblogic
. For an enterprise deployment, it is required to have all users, groups provisioned in an LDAP user directory such as Oracle Internet Directory that is a part of the centralized Identity Management Domain. This section provides details for provisioning a new administrator user and group for managing the Identity Management WebLogic Domain. This section describes the following:
Section 8.6.1, "Provisioning Admin Users and Groups in an LDAP Directory"
Section 8.6.2, "Assigning the Admin Role to the Admin Group"
Section 8.6.3, "Updating the boot.properties File on IDMHOST1 and IDMHOST2"
As mentioned in the introduction to this section, users and groups from multiple WebLogic domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic admin
user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique distinguished name within the directory tree. In this guide, the admin
user and group for the IDM WebLogic Domain will be provisioned with the DNs below:
Admin User DN:
cn=weblogic_idm,cn=Users,dc=us,dc=mycompany,dc=com
Admin Group DN:
cn=IDM Administrators, cn=Groups,dc=us,dc=mycompany,dc=com
Follow the steps below to provision the admin
user and admin
group in Oracle Internet Directory:
Create an ldif
file named admin_user.ldif
with the contents shown below and then save the file:
dn: cn=weblogic_idm, cn=Users, dc=us, dc=mycompany, dc=com orclsamaccountname: weblogic_idm givenname: weblogic_idm sn: weblogic_idm userpassword: Welcome1 obver: 10.1.4.0 mail: weblogic_idm objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 objectclass: oblixorgperson uid: weblogic_idm cn: weblogic_idm description: Admin User for the IDM Domain
Run the ldapadd
command located under the ORACLE_HOME
/bin/
directory to provision the user in Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f admin_user.ldif
Create an ldif
file named admin_group.ldif
with the contents shown below and then save the file:
dn: cn=IDM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com displayname: IDM Administrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_idm,cn=users,dc=us,dc=mycompany,dc=com cn: IDM Administrators description: Administrators Group for the IDM Domain in OID
Run the ldapadd
command located under the ORACLE_HOME
/bin/
directory to provision the group in Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f admin_group.ldif
After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain. Follow the steps below to assign the Admin role to the Admin group:
Log into the WebLogic Administration Server Console.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page.
On the Global Roles page, click the Admin Role to bring up the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group
as an entry.
Click Save to finish adding the Admin Role to the IDM Administrators Group
.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
The boot.properties
file for the Administration Server and the Managed Servers should be updated with the WebLogic admin
user created in Oracle Internet Directory. Follow the steps below to update the boot.properties
file.
For the Administration Server on IDMHOST1
On IDMHOST1, go the following directory:
MW_HOME/user_projects/domains/domainName/servers/serverName/security
For example:
cd /u01/app/oracle/product/fmw/user_projects/domains/IDMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Stop and Start the Servers
Using the WebLogic Administration Server Console, stop the Administration Server and the wls_ods1
and wls_ods2
Managed Servers.
Verify that the server processes have been successfully stopped.
On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh
script located under the DOMAIN_HOME
/bin
directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile
parameter:
./startWebLogic.sh >logfile 2>&1 &
For example:
./startWebLogic.sh >$DOMAIN_HOME/servers/AdminServer/logs/aserver.out 2>&1 &
Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.
Log in using the credentials of the weblogic_idm
user.
Start the wls_ods1
and wls_ods2
Managed Servers using the WebLogic Administration Console.
You begin policy and credential store migration by creating the JPS root and then you reassociate the policy and credential store with Oracle Internet Directory.
Create the jpsroot in Oracle Internet Directory using the command line ldapadd
command as shown in these steps:
Create an ldif
file similar to this:
dn: cn=jpsroot_idm_idmhost1 cn: jpsroot_idm_idmhost1 objectclass: top objectclass: orclcontainer dn: cn=jpsroot_idm_idmhost2 cn: jpsroot_idm_idmhost2 objectclass: top objectclass: orclcontainer
Use ORACLE_HOME
/bin/ldapadd
to add these entries to Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f jps_root.ldif
To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore
command. Follow these steps:
From IDMHOST1, start the wlst
shell from the ORACLE_HOME
/common/bin
directory. For example:
./wlst.sh
Connect to the WebLogic Administration Server using the wlst connect
command shown below.
connect('AdminUser',"AdminUserPassword",t3://hostname:port')
For example:
connect("weblogic_idm,"welcome1","t3://idmhost-vip.mycompany.com:7001")
Run the reassociateSecurityStore
command as shown below:
Syntax:
reassociateSecurityStore(domain="domainName",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID", jpsroot="cn=jpsroot_idm_idmhost1")
For example:
wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain", admin="cn=orcladmin",password="welcome1", ldapurl="ldap://oid.mycompany.com:389",servertype="OID", jpsroot="cn=jpsroot_idm_idmhost1")
The output for the command is shown below:
{servertype=OID, jpsroot=cn=jpsroot_idm_idmhost1, admin=cn=orcladmin, domain=IDMDomain, ldapurl=ldap://oid.mycompany.com:389, password=welcome1} Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Starting Policy Store reassociation. LDAP server and ServiceConfigurator setup done. Schema is seeded into LDAP server Data is migrated to LDAP server Service in LDAP server after migration has been tested to be available Update of jps configuration is done Policy Store reassociation done. Starting credential Store reassociation LDAP server and ServiceConfigurator setup done. Schema is seeded into LDAP server Data is migrated to LDAP server Service in LDAP server after migration has been tested to be available Update of jps configuration is done Credential Store reassociation done Jps Configuration has been changed. Please restart the server.
Restart the Administration Server after the command completes successfully.
To validate the setup, open a web browser and go the following URLs:
http://admin.mycompany.com:7777/console http://admin.mycompany.com:7777/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.