7 Installing and Configuring Oracle Access Manager

7.1.2.1 Using Oracle Virtual Directory as the Identity Store

In addition, the identity stores can potentially be front-ended by Oracle Virtual Directory to virtualize the data sources.

To learn more about the different types of directory configuration for Oracle Access Manager, please consult the 10g Oracle Access Manager documentation at Oracle Technology Network. Customers considering these variations should adjust their directory tier and Oracle Access Manager deployment accordingly.

7.3.1.1 Installing the First Identity Server on OAMHOST1

Follow these steps to install Oracle Access Manager Identity Server on OAMHOST1:

1. Ensure that the system, patch, and other requirements are met. These are listed in the "Installing the Identity Server" chapter of the Oracle Access Manager Installation Guide.

2. Locate the Identity Server Installer on your Oracle Access Manager Software disk and start the installer as shown below. Pass the "-gui" option to bring up the Installers GUI console:

   ./Oracle_Access_Manager10_1_4_3_0_linux_Identity_Server -gui
   

3. On the Welcome to the InstallShield Wizard for Oracle Access Manager Identity Server screen, click Next.

4. Enter the username and group that the Identity Server will use. Specify oracle/oinstall.

   Click Next.

5. Specify the installation directory for Oracle Access Manager Identity Server. Specify the following value:

   /u01/app/oracle/product/fmw/oam
   

   Note:

   The base location for the Oracle Access Manager installation is /u01/app/oracle/product/fmw/oam. Oracle Access Manager components are installed in subdirectories automatically created by the installer under this location.

   The Identity Server is installed in the identity subdirectory created by the installer under the base location.

   The ORACLE_HOME location for the Oracle Access Manager Identity Server installation is:

   /u01/app/oracle/product/fmw/oam/identity

   Click Next.

6. Oracle Identity Manager will be installed in the following location (the identity directory is created by the installer automatically):

   /u01/app/oracle/product/fmw/oam/identity
   

   
   Description of the illustration oamidentitysvr3.gif
   
   

7. Specify the location of the GCC runtime libraries, for example, /home/oracle/oam_lib.

   Click Next.

8. On the Installation Progress screen, click Next.

9. On the first Identity Server Configuration screen, specify the transport security mode between the WebPass/Identity client and the Identity Server. The choices are:

   • Open Mode: No encryption.

   • Simple Mode: Encryption through SSL and a Public Key Certificate provided by Oracle.

   • Cert Mode: Encryption through SSL and a Public Key Certificate provided by an external CA.

   Choose Open Mode.

   Click Next.

10. On the next Identity Server Configuration screen, specify the Identity Server ID, host name and port number for the Identity Server connection:

    • Enter a unique name for the Identity Server ID. For example: IdentityServer_OAMHOST1

    • Enter the hostname where the Identity Server will be installed. Make sure that the hostname can be resolved. For example: oamhost1.mycompany.com

    • Enter the port number on which this Identity Server communicates with its clients. For example, the default port number is 6022.

    Click Next.

11. On the next Identity Server Configuration screen, you are prompted whether this is the first Identity Server installation in the network for this LDAP directory server.

    Select Yes.

    Click Next.

12. On the next Identity Server Configuration screen, select the appropriate options if you want to set up SSL between the Identity Server and the Directory Server.

    • Directory Server hosting user data is in SSL

    • Directory Server hosting Oracle data is in SSL

    The enterprise deployment described in this manual does not use SSL for communication between components behind the firewall.

    Do not select anything.

    Click Next.

13. On the first Configure Directory Server hosting user data screen, specify the details for the LDAP enabled User Directory Store.

    The Identity Server connects to an LDAP enabled directory server to store your User Data. Choose the appropriate directory server from the drop down list:

    • If you are planning on using Oracle Virtual Directory as the user store; select Data Anywhere from the drop down list.

    • If you are planning on using Oracle Internet Directory for the user store, select Oracle Internet Directory from the drop down list.

    Make the appropriate choice based on the needs in your environment and click Next.

14. On the next Configure Directory Server hosting user data screen, specify if the User and Oracle Data will be stored in different directory servers. Make the appropriate choice based on the requirements in your environment.

    Select the Oracle data will be in the user data directory option.

    The enterprise deployment in this manual has the Oracle and user data in the same directory.

    Click Next.

15. On the next Configure Directory Server hosting user data screen, specify if the OAM Installer should automatically update the User Store Directory Schema to include the Oracle Access manager schema

    Select Yes and click Next.

16. Specify your directory server configuration details:

    • Host machine or IP in which the directory server resides:

      oid.mycompany.com (if your user store is in Oracle Internet Directory)

      ovd.mycompany.com (if your user store is in Oracle Virtual Directory)

    • Port Number: 389 (non-SSL port)

    • Root DN: cn=orcladmin (This is the default, unless you change the person object class during Identity System set up.)

    • Root Password: The password for the user data directory server Root DN.

    Click Next.

17. The Updating Directory schema to Directory Server screen appears. The update process can take some time.

18. Review the Readme file.

    Click Next to display an installation summary.

19. The installation summary provides the details that you specified during this installation and instructs you to start the Identity Server at the conclusion of this installation.

    Click Next.

20. Click Finish to complete the installation.

21. Start the Identity Server to validate that the install completed successfully. Run the start_ois_server script, located under the ORACLE_HOME/identity/oblix/apps/common/bin directory to start the Identity Server on OAMHOST1, where ORACLE_HOME is the Identity Server install location.

7.3.1.2 Installing the Second Identity Server on OAMHOST2

Follow these steps to install the second Oracle Access Manager Identity Server on IDMHOST2:

1. Ensure that the system, patch, and other requirements are met. These are listed in the "Installing the Identity Server" chapter of the Oracle Access Manager Installation Guide.

2. Locate the Identity Server Installer on your Oracle Access Manager Software disk and start the installer as shown below. Pass the "-gui" option to bring up the Installers GUI console:

   ./Oracle_Access_Manager10_1_4_3_0_linux_Identity_Server -gui
   

3. On the Welcome to the InstallShield Wizard for Oracle Access Manager Identity Server screen, click Next.

4. Enter the username and group that the Identity Server will use. Specify oracle/oinstall.

   Click Next.

5. Specify the installation directory for Oracle Access Manager Identity Server. Specify the following value:

   /u01/app/oracle/product/fmw/oam
   

   Note:

   The base location for the Oracle Access Manager installation is /u01/app/oracle/product/fmw/oam. Oracle Access Manager components are installed in subdirectories automatically created by the installer under this location.

   The Identity Server is installed in the identity subdirectory created by the installer under the base location.

   The ORACLE_HOME location for the Oracle Access Manager Identity Server installation is:

   /u01/app/oracle/product/fmw/oam/identity

   Click Next.

6. Oracle Identity Manager will be installed in the following location (the identity directory is created by the installer automatically):

   /u01/app/oracle/product/fmw/oam/identity
   

   
   Description of the illustration oamidentitysvr3.gif
   
   

7. Specify the location of the GCC runtime libraries, for example, /home/oracle/oam_lib.

   Click Next.

8. On the Installation Progress screen, click Next.

9. On the first Identity Server Configuration screen, specify the transport security mode between the WebPass/Identity client and the Identity Server. The choices are:

   • Open Mode: No encryption.

   • Simple Mode: Encryption through SSL and a Public Key Certificate provided by Oracle.

   • Cert Mode: Encryption through SSL and a Public Key Certificate provided by an external CA.

   Choose Open Mode.

   Click Next.

10. On the next Identity Server Configuration screen, specify the Identity Server ID, host name and port number for the Identity Server connection:

    • Enter a unique name for the Identity Server ID. For example: IdentityServer_OAMHOST2

    • Enter the hostname where the Identity Server will be installed. Make sure that the hostname can be resolved. For example: oamhost2.mycompany.com

    • Enter the port number on which this Identity Server communicates with its clients. For example, the default port number is 6022.

    Click Next.

11. On the next Identity Server Configuration screen, you are prompted whether this is the first Identity Server installation in the network for this LDAP directory server.

    Select No.

    Click Next.

12. On the next Identity Server Configuration screen, select the appropriate options if you want to set up SSL between the Identity Server and the Directory Server.

    • Directory Server hosting user data is in SSL

    • Directory Server hosting Oracle data is in SSL

    The enterprise deployment described in this manual does not use SSL for communication between components behind the firewall.

    Do not select anything.

    Click Next.

13. This displays the configuration screen. After the configuration is completed, the ReadMe file displays.

14. Review the Readme file.

    Click Next to display an installation summary.

15. The installation summary provides the details that you specified during this installation and instructs you to start the Identity Server at the conclusion of this installation.

    Click Next.

16. Click Finish to complete the installation.

17. Start the Identity Server to validate that the install completed successfully. Run the start_ois_server script, located under the ORACLE_HOME/identity/oblix/apps/common/bin directory to start the Identity Server on OAMHOST2, where ORACLE_HOME is the Identity Server install location.

7.3.2.1 Installing Oracle HTTP Server

Follow these steps to install Oracle HTTP Server on OAMADMINHOST:

1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Web Tier in the Oracle Fusion Middleware documentation library for the platform and version you are using.

2. Oracle HTTP Server is installed on port 7777 by default. Ensure that ports 7777, 8889, and 4443 are not in use by any service on OAMADMINHOST by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "7777"
   netstat -an | grep "8889"
   netstat -an | grep "4443"
   

   If the ports are in use (if the command returns output identifying the port), you must free it.

   On UNIX:

   Remove the entries for ports 7777, 8889, and 4443 in the /etc/services file if the ports are in use by a service and restart the services, or restart the computer.

3. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

4. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom port:

   #The http main port for ohs component
   OHS Port = 7777
   
   #This port indicates the OHS Proxy Port
   OHS Proxy Port = 8889
   
   #This port indicates the OHS SSL port
   OHS SSL Port = 4443
   

5. Start the Oracle Universal Installer for Oracle Fusion Middleware 11g Web Tier Utilities CD installation as follows:

   On UNIX, issue this command: runInstaller

   The runInstaller file is in the ../install/platform directory where platform is a platform such as Linux or Solaris.

   The Specify Oracle Inventory screen is displayed.

6. On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:

   Specify the Inventory Directory: /u01/app/oraInventory

   Operating System Group Name: oinstall

   A dialog box appears with the following message:

   "Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u01/app/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option"

   Login as root and run the "/u01/app/oraInventory/createCentralInventory.sh"

   This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.

   Note:

   The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, make sure to check and see:

   1. If the /etc/oraInst.loc file exists

   2. If the file exists, the Inventory directory listed is valid

   3. The user performing the installation has write permissions for the Inventory directory

7. On the Welcome screen, click Next.

8. On the Select Installation Type screen, select Install and Configure, and then click Next.

9. On the Prerequisite Checks screen, ensure that all the prerequisites are met, and then click Next.

10. On the Specify Installation Location screen set the location on OAMADMINHOST to:

    /u01/app/oracle/product/fmw/web
    

    Click Next.

    Note:

    The ORACLE_HOME location for the Oracle HTTP Server install is /u01/app/oracle/product/fmw/web

11. On the Configure Components screen, select the following and deselect any other components:

    • Oracle HTTP Server

    • Associate Selected Components with WebLogic Domain

    Click Next.

12. On the Specify WebLogic Domain screen, enter the location where you installed Oracle WebLogic Server. Note that the Administration Server must be running:

    • Domain Host Name: idmhost1.mycompany.com

    • Domain Port No: 7001

    • User Name: weblogic

    • Password: ******

    Click Next.

13. On the Specify Component Details screen, set the following values for OAMADMINHOST:

    • Instance Home Location:

      /u01/app/oracle/admin/oamAdmin_ohs
      

    • Instance Name: oamAdmin_ohs

    • OHS Component Name: oamAdmin_ohs

    Click Next.

14. On the Configure Ports screen, select Specify Ports Using Configuration File, and enter the full pathname to the staticports.ini file that you edited in the temporary directory.

    Click Next.

15. On the Email Address for Security Updates screen, specify these values:

    • Email Address: Provide the email address for your My Oracle Support account.

    • Oracle Support Password: Provide the password for your My Oracle Support account.

    • Check the checkbox next to the I wish to receive security updates via My Oracle Support field.

    Click Next.

16. On the Configuration Summary screen, ensure that the selections are correct and click Install.

17. On the Configuration screen, multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the Configuration Completed screen appears.

18. On the Configuration Completed screen, click Finish to exit.

7.3.2.2 Validating the Installation of Oracle HTTP Server

Validate the installation of Oracle HTTP Server by following these steps:

1. Run the opmnctl status command from the INSTANCE_HOME/bin directory. For example:

   $ cd /u01/app/oracle/admin/oamAdmin_ohs
   $ ./opmnctl status
   Processes in Instance: oamAdmin_ohs
   ---------------------------------+--------------------+---------+---------
   ias-component                    | process-type       |     pid | status
   ---------------------------------+--------------------+---------+---------
   oamAdmin_ohs                     | OHS                |   28575 | Alive
   

2. Open a web browser and go to the URL http://hostname.mycompany.com:port to view the default Oracle HTTP Server Home page. For example:

   http://oamadminhost.mycompany.com:7777
   

7.3.3.1 Configuring Oracle HTTP Server and WebPass Communication

To establish communication between WebPass and its Identity Server, follow these steps:

1. Stop the WebPass Web server instance:

   OHS_INSTANCE_HOME/bin/opmnctl stopall
   

2. Update the OHS_INSTANCE_HOME/config/OPMN/opmn/opmn/opmn.xml file to set the environment variable LD_ASSUME_KERNEL for the OHS1 component, as shown in this example:

   ...
   <ias-component id="oamAdmin_ohs">
       <process-type id="OHS" module-id="OHS1">
           <environment>
               <variable id="LD_ASSUME_KERNEL" value="2.4.19"/>
           </environment>
           <module_data>
   ...
   

3. Stop and then start Identity Server on OAMHOST1 and OAMHOST2:

   ORACLE_HOME/identity/oblix/apps/common/bin/restart_ois_server
   

   where ORACLE_HOME refers to the location where the Identity Server is installed.

4. Start the WebPass Web server instance:

   OHS_INSTANCE_HOME/bin/opmnctl startall
   

7.3.3.2 Validating the WebPass Installation

Follow these steps to validate the WebPass installation:

1. To make sure that your Identity Server and WebPass Web server are running, navigate to the Identity System Console by specifying the following URL in your web browser:

   http://hostname:port/identity/oblix
   

   where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/identity/oblix
   

2. The Identity System landing page should appear.

   Do not select any link on the Identity System landing page because the system has not yet been set up.

7.3.4.1 Configuring the First Identity Server

After the Identity Server and the WebPass instance are installed, you must specify the associations between them to make the system functional. Follow these steps to configure the first Identity Server:

1. Navigate to the Identity System Console by specifying the following URL in your web browser:

   http://hostname:port/identity/oblix
   

   where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/identity/oblix
   

   Click the Identity System Console link.

2. On the System Console Application is not set up page, click the Setup button.

3. On the Product Setup page, specify your user data directory server type. Select Oracle Virtual Directory or Oracle Internet Directory based on how your environment is configured.

   Click Next.

4. On the Schema Change page, click Next. You do not need to do anything because the schema was updated during Identity Server installation.

5. Specify the user data directory details based on your installation:

   • Host: The DNS host name of the user data directory server. Enter:

     oid.mycompany.com (if your user store is in Oracle Internet Directory)

     ovd.mycompany.com (if your user store is in Oracle Virtual Directory)

   • Port Number: The port of the user data directory server. For example: 389

   • Root DN: The bind distinguished name of the user data directory server. For example: cn=orcladmin

   • Root Password: The password for the bind distinguished name.

   • Directory Server Security Mode: Open or SSL-enabled between the user data directory server and Identity Server. Select Open.

   • Is Configuration data stored in this directory also?: Yes (default)

   Click Next.

   
   Description of the illustration screenshot11.gif
   
   

6. On the Location of Configuration Data and the Oracle Access Manager Searchbase page, specify the distinguished name (DN) for the configuration data and the searchbase for user data. The configuration DN is the directory tree where Oracle Access Manager stores its configuration data. The searchbase is the node in the directory tree where the user data is stored and is usually the highest base for all user searches.

   When the user data and configuration data are in the same directory, the entries can be specified as follows:

   • Configuration DN: dc=us,dc=mycompany,dc=com

   • Searchbase: dc=us,dc=mycompany,dc=com

   Click Next.

   Note:

   The configuration DN for the Oracle Access Manager Identity Server and the Oracle Access Manager Access Server must be the same. Also, if the configuration data and the search data are in different directories they should have unique DNs and the searchbase cannot be o=Oblix, configurationDN or ou=Oblix, configurationDN.

7. On the Person Object Class screen, specify the Person object class for the User Manager as shown below:

   Person Object Class: inetorgPerson

   Click the Auto configure objectclass text box.

   Click Next.

   Note:

   The person object class specified during this setup is the person object class used by the User Manager application.

8. On the Group Object Class screen, specify the Group object class as shown below. For example, the Group object class would be an entry resembling the following:

   Group Object Class: GroupofUniqueNames

   Click the Auto configure objectclass text box.

   Click Next.

   Note:

   The group object class specified during this setup is the only group object class used by the Group Manager application.

9. Stop the WebPass Web server instance on OAMADMINHOST.

10. Stop and then start the Identity Servers on OAMHOST1 and OAMHOST2.

11. Start the WebPass Web server instance on OAMADMINHOST.

12. In the Return to the Oracle Access Manager Product Setup window, click Next.

13. A screen appears summarizing the person object class changes that were made automatically with the following question: "Is the following configuration correct for the objectclass 'inetorgperson'?

    Review the Person object class attributes and then click Yes.

    Review the Group object class attributes and then click Yes.

14. A screen appears summarizing the group object class changes that were made automatically with the following question: "Is the following configuration correct for the objectclass 'groupOfUniqueNames'?

    Review the Group object class attributes and then click Yes.

15. On the Configure Administrators page, the user orcladmin is configured as the Master Administrator by default. If you do not want to add any additional Administrator users, click Next.

    
    Description of the illustration screenshot18.gif
    
    

    To add additional users as administrators, click the Select User button to bring up the Selector page.

    
    Description of the illustration screenshot19.gif
    
    

    On the Selector page, complete the fields with the search criteria for the user you want to select as an administrator and click Go. A minimum of three characters is required to return search results.

    
    Description of the illustration screenshot20.gif
    
    

16. Search results matching the specified criteria appear.

    Click Add next to the person you want to select as an administrator.

17. The name of the person appears under the Selected column on the right.

    Add other names as needed.

    Click Done.

18. On the Configure Administrators page, view the selected users listed as administrators.

    Click Next.

19. On the Securing Data Directories page, click Done to complete the Identity System setup.

20. Verify the configuration by performing these steps:

    1. Access the Oracle Access Manager system console at this URL:

       http://OAMADMINHOST:port/identity/oblix
       

       where port is the Oracle HTTP Server port.

       For example, enter the following URL in your web browser:

       http://oamadminhost.mycompany.com:7777/identity/oblix
       

    2. Click User Manager, Group Manager, or Org. Manager and log in with the newly created administrator user's credentials.

7.3.4.2 Configuring the Second Identity Server

Follow these steps to configure the second Identity Server:

1. Navigate to the Identity System Console by specifying the following URL in your web browser:

   http://hostname:port/identity/oblix
   

   where hostname refers to computer that hosts the WebPass Web server and port refers to the HTTP port number of the WebPass Web server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/identity/oblix
   

   Click the Identity System Console link.

2. A login dialog box appears.

   Provide the administrator user name and password.

   Click Login.

3. On the System Configuration screen, click the Identity System Console and select System Configuration > Identity Servers.

4. Click Add and specify the values shown below on the Add a new Identity Server screen:

   • Name: idserver_oamhost2

   • Hostname: oamhost2.mycompany.com

   • Port: 6022

   • Debug: Off

   • Debug File Name: /oblix/logs/debugfile.lst

   • Transport Security: Open

     Accept the default values for the remaining parameters, unless required in your environment:

   • Maximum Session Time (hours): 24 (default)

   • Number of Threads: 20 (default)

   • Audit to Database Flag (auditing on/off): Off (default)

   • Audit to File Flag (auditing on/off): Off (default)

   • Audit File Name: Leave blank (default)

   • Audit File Maximum Size (bytes): 100000 (default)

   • Audit File Rotation Interval (seconds): 7200 (default)

   • Audit Buffer Maximum Size (bytes): 25000 (default)

   • Audit Buffer Flush Interval (seconds): 7200 (default)

   • Scope File Name: /oblix/logs/scopefile.lst (default)

   • SNMP State: Off (default)

   • SNMP Agent Registration Port: 80 (default)

   
   Description of the illustration screenshot29.gif
   
   

5. Click the Identity System Console and select System Configuration > WebPass.

6. The OAMWebPass_OAMADMINHOST instance is listed.

   Click the WebPass instance for OAMADMINHOST.

7. On the Details for WebPass screen, click List COREid Servers.

8. The Identity Servers associated with the WebPass are listed.

   Click Add.

9. On the Add a new Identity Server to the WebPass screen:

   Select the identity server installed on OAMHOST2.

   Select Primary Server and specify 2 connections.

   Click Add.

This completes the configuration of the Identity System.

You can now begin the installation of the Access System, which includes the Policy Manager, Access Server, and WebGate components.

7.4.1.1 Configuring the Policy Manager

The Policy Manager must be configured to communicate with Oracle Internet Directory. Follow these steps to configure the communication:

1. Make sure your Web server is running.

2. Navigate to the Access System Console by specifying the following URL in your web browser:

   http://hostname:port/access/oblix
   

   where hostname refers to the host where the Policy Manager Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

   Note:

   The WebPass and Policy Manager components share the same Oracle HTTP Server instance on OAMADMINHOST.

3. Click the Access System Console link.

   A message informs you that the Administration Console Application is not yet set up.

4. Click the Setup button.

5. You are prompted for the User Directory Server Type.

   If you are using Oracle Virtual Directory, choose Data Anywhere and if you are using Oracle Internet Directory, choose Oracle Internet Directory.

6. On the Location of Directory Server for User Data screen, specify the following server details:

   • Machine: Specify the DNS host name of the user data directory server. Enter:

     oid.mycompany.com (if your user store is in Oracle Internet Directory)

     ovd.mycompany.com (if your user store is in Oracle Virtual Directory)

   • Port Number: Specify the port of the user data directory server. Enter the non-SSL port for the directory server. For example: 389

   • Root DN: Specify the bind DN (distinguished name) for the user data directory server. For example: cn=orcladmin

   • Root Password: Specify the password for the bind distinguished name.

   • Directory Server Security Mode: Select Open.

   This screen capture shows the values for the Location of Directory Server for User Data screen if your user store is Oracle Internet Directory:

   
   Description of the illustration screenshot41.gif
   
   

   This screen capture shows the values for the Location of Directory Server for User Data screen if your user store is Oracle Virtual Directory:

   
   Description of the illustration screenshot42.gif
   
   

   Click Next.

7. On the Directory Server Type containing Configuration Data screen, choose Oracle Internet Directory.

   Click Next.

8. On the Directory Server containing User Data and Directory Server containing Configuration Data screen, a message informs you that the user data and configuration data can be stored in either the same or different directories.

   Select Store Configuration Data in the User Directory Server.

   Click Next.

9. On the Directory Server containing User Data and Directory Server containing Policy Data screen, a message informs you that the user data and policy data can be stored in either the same or different directories.

   Select Store Policy Data in the User Directory Server.

10. On the Location of the Oracle Access Manager Configuration data, the Searchbase, and the Policybase screen, specify the appropriate information for your installation. For example:

    • Searchbase: dc=us,dc=mycompany,dc=com (This must be the same searchbase you specified during Identity Server configuration)

    • Configuration DN: dc=us,dc=mycompany,dc=com (This must be the same configuration DN you specified during Identity Server configuration)

    • Policy Base: dc=us,dc=mycompany,dc=com

    Click Next.

11. On the Person Object Class screen, specify the Person object class that was specified during Identity Server system configuration:

    Person Object Class: inetorgperson

    Click Next.

12. You are prompted to restart the Web server. The Identity Servers must be restarted, along with the Web Server instance. Follow the sequence shown below:

    1. Stop the Oracle HTTP Server on OAMADMINHOST.

    2. Restart the Identity Server on OAMHOST1 and OAMHOST2.

    3. Start the Oracle HTTP Server on OAMADMINHOST.

    Click Next.

13. On the Root Directory for the Policy Domains screen, specify the root directory for policy domains.

    Accept the default root directory for policy domains, for example:

    Policy Domain Root: /

    Click Next.

14. On the Configuring Authentication Schemes screen, select Yes to automatically configure authentication schemes.

    Click Next.

15. On the next screen, select both Basic Over LDAP and Client Certification authentication schemes.

    Click Next.

16. On the Define a new authentication scheme screen, specify the Basic over LDAP parameters. The values on the screen are prefilled. Review the parameters. Change the parameter values, if required by your environment:

    • Name: Basic Over LDAP

    • Description: This scheme is Basic over LDAP, using the built-in browser login mechanism

    • Level: 1

    • Challenge Method: Basic

    • Challenge Parameter: realm: LDAP User Name/Password

    • Plugin(s):

      • Plugin Name: credential_mapping

        Plugin Parameters:

        obMappingBase="dc=us,dc=mycompany,dc=com",
        obMappingFilter="(&(objectclass=inetorgperson)
        (uid=%userid%))"
        

      • Plugin Name: validate_password

        Plugin Parameters: obCredentialPassword="password"

    Click Next.

    
    Description of the illustration screenshot54.gif
    
    

17. On the next Define a new authentication scheme screen, specify the Client Certificate parameters. The values on the screen are prefilled. Review the parameters. Change the parameter values, if required by your environment.

    • Name: Client Certificate

    • Description: This scheme uses SSL and X.509 client certificates

    • Level: 2

    • Challenge Method: Client Certificate

    • Challenge Parameter: realm: LDAP User Name/Password

    • Plugin(s):

      • Plugin Name: cert_decode

        Plugin Parameters:

      • Plugin Name: credential_mapping

        Plugin Parameters:

        obMappingBase="dc=us,dc=mycompany,dc=com",
        obMappingFilter="(&(objectclass=inetorgperson)
        (mail=%certSubject.E%))"
        

    Click Next.
    Description of the illustration screenshot56.gif
    
    

18. On the Configure Policies to Protect NetPoint Identity System and Access Manager screen, select Yes to configure policies to protect Access System related URLs.

    Click Next.

19. On the next page, instructions for Securing Data Directories and Configuring Identity and Access policy domains are shown. Review the instructions to complete the tasks and then restart the Identity Servers and web server instances by following the steps below:

    1. Stop the WebPass/Policy Manager Web server instance on OAMADMINHOST.

    2. Stop and then start the Identity Servers on OAMHOST1 and OAMHOST2.

    3. Start the WebPass/Policy Manager Web server instance on OAMADMINHOST.

    Verify that all the processes are back up again and then click Done.

20. The Policy Manager home page appears.

    Confirm that the Policy Manager is installed correctly by performing the following steps:

    1. Navigate to the Access System Console from your browser. For example:

       http://hostname:port/access/oblix
       

       where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

       For example, enter the following URL in your web browser:

       http://oamadminhost.mycompany.com:7777/access/oblix
       

    2. Select the Access System Console link.

    3. Log in as an administrator.

    4. Select the Access System Configuration tab, then click Authentication Management when it appears in the left column.

       A list of the authentication schemes configured appears.

    
    Description of the illustration screenshot61.gif
    
    

7.4.2.1 Creating an Access Server Instance

Follow these steps to create an Access Server instance:

1. Log into the Access System Console by specifying the following URL in your web browser:

   http://hostname:port/access/oblix
   

   where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

2. On the Access System main page, click the Access System Console link, then log in as the administrator.

3. Click the Access System Configuration tab, then click Access Server Configuration when the side navigation bar appears.

4. Click Add to display the Add Access Server page with some defaults.

5. Specify the parameters shown below for the Access Server you plan to install:

   • Name: Descriptive name for the Access Server that is different from any others already in use on this directory server. For example: AccessServer_OAMHOST1

   • Hostname: Name of the computer where the Access Server will be installed. The Access Server does not require a Web server instance. For example: oamhost1.mycompany.com

   • Port: Port on which the Access Server will listen. For example: 6023

   • Transport Security: Transport security between all Access Servers and associated WebGates must match. Specify Open.

   • Access Management Service: This should be enabled only if the WebGate is using the Policy Manager API. In this case, select ON, since the WebGate will be using the PolicyManager API.

   Review the remaining prefilled default values. Modify these values, if required by your environment.

   Click Save.

   
   Description of the illustration screenshot66.gif
   
   

6. The Access Server Configuration: List All Access Servers page appears with a link to this instance. Verify that the Access Server has been created with the correct values by clicking on the link for the Access Server just created.

7. Repeat steps 3 through 6 for each additional Access Server you want to install. Substitute values where appropriate. For example, when creating the second Access Server instance, specify the following values:

   • Name: AccessServer_OAMHOST2

   • Hostname: oamhost2.mycompany.com

8. Click Logout and then close the browser window.

7.4.2.2 Starting the Access Server Installation

Follow these steps to start the Access Server installation:

1. Locate the AccessServer Installer on your Oracle Access Manager Software disk and start the installer as shown below. Pass the "-gui" option to bring up the GUI console. Log in as a user with Administrator privileges.

   ./Oracle_Access_Manager10_1_4_3_0_linux_Access_Server -gui
   

2. On the Welcome to the InstallShield Wizard for Oracle Access Manager Access Server screen, click Next.

3. On the Customer Information screen, enter the username and group that the Identity Server will use. The default value for username and group is nobody. For example, enter oracle/oinstall.

   Click Next.

4. Specify the installation directory for Oracle Access Manager Access Server. For example, enter:

   /u01/app/oracle/product/fmw/oam
   

   Note:

   The base location for the Oracle Access Manager Access Server installation is /u01/app/oracle/product/fmw/oam. Oracle Access Manager components are installed in subdirectories automatically created by the installer under this location.

   The Access Server is installed in the access subdirectory created by the installer under the base location.

   The ORACLE_HOME location for the Oracle Access Manager Access Server installation is:

   /u01/app/oracle/product/fmw/oam/access
   

   Click Next.

5. Oracle Access Manager Access Server will be installed in the following location (the access directory is created by the installer automatically):

   /u01/app/oracle/product/fmw/oam/access
   

   
   Description of the illustration oamaccesssvr3.gif
   
   

   Click Next.

6. Specify the location of the GCC runtime libraries. For example: /home/oracle/oam_lib.

   Click Next.

   The installation progress screen is shown. After the installation process completes, the Access Server Configuration screen appears.

7. On the Access Server Configuration screen, you are prompted for the transport security mode.

   Specify the transport security mode. The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match. Select one of the following: Open Mode, Simple Mode, or Cert Mode.

   Select Open Mode.

   Click Next.

8. On the next Access Server Configuration screen, you are prompted for the mode in which the Directory Server containing Oracle configuration data is running.

   Select Open. This is the default choice.

   On the same screen, specify the following directory server details:

   • Host: Specify the DNS hostname of the Oracle configuration data directory server. For example: oid.mycompany.com

   • Port Number: Specify the port of the Oracle configuration data directory server. For example: 389 (OID non-SSL Port)

   • Root DN: Specify the bind distinguished name of the Oracle configuration data directory server. For example: cn=orcladmin

   • Root Password: Specify the password for the bind distinguished name.

   • Type of the Directory Server containing Oracle configuration data: Select Oracle Internet Directory.

   Click Next.

   
   Description of the illustration oamwebgate10.gif
   
   

9. On the next Access Server Configuration screen, specify where the Oracle Access Manager Policy data is stored. Select Oracle Directory and click Next.

10. On the next Access Server Configuration screen, specify the Access Server ID, the Configuration DN and the Policy Base specified when creating the Access Server instances in Section 7.4.2.1, "Creating an Access Server Instance."

    Enter the requested details, for example:

    • Access Server ID: AccessServer_OAMHOST1

    • Configuration DN: dc=us,dc=mycompany,dc=com

    • Policy Base: dc=us,dc=mycompany,dc=com

    
    Description of the illustration oamaccesssvr13.gif
    
    

11. Review the information on the Oracle COREId 10.1.4.3 ReadMe screen.

    Click Next.

12. A message appears informing you that the installation was successful.

    Click Finish.

13. Start the Access Server so that you can confirm the Access Server is installed and operating properly.

    To start the Access Server, follow these steps:

    1. Go to the following directory:

       ORACLE_HOME/access/oblix/apps/common/bin
       

       where ORACLE_HOME is the location where Oracle Access Manager Access Server is installed.

    2. Execute the following script:

       start_access_server
       

       If you want to use the NPTL threading model, execute the following script instead:

       start_access_server_nptl
       

14. Repeat the preceding steps on OAMHOST2, substituting the hostname where appropriate.

7.4.3.1 Creating a WebGate Profile

The WebGate profile can be created manually or automatically:

• Manual Creation: The WebGate profiles can be created manually by using the Access System Console. If you choose to create the WebGate profiles manually, follow the steps in this section. However, make sure to use appropriate values for the WebGate profile ID and the Host Identifier. These values are passed as parameters to the OAM Configuration Tool to enable single sign-on as discussed in Chapter 8, "Configuring Single Sign-On for Administration Consoles."

• Automatic Creation: The WebGate profiles can be created automatically by the Oracle Access Manager Configuration Tool as discussed in Chapter 8. If you choose to create the WebGate profiles automatically, do the following:

  1. Do not perform the steps in the "Steps for Manually Creating the WebGate Profile Using the Access System Console" section below.

  2. Proceed to Section 8.2, "Running the Oracle Access Manager Configuration Tool" and perform the steps described in that section.

  3. After running the Oracle Access Manager Configuration Tool successfully, return to Section 7.4.3.2, "Assigning an Access Server to the WebGate" and preform the steps in that section.

  4. Perform the steps in Section 7.4.3.3, "Installing the WebGate," using the WebGate profile ID that was created by the OAM Configuration Tool.

Steps for Manually Creating the WebGate Profile using the Access System Console

Follow these steps to create a WebGate profile using the Access System Console:

1. Navigate to the Access System Console by specifying the following URL in your web browser:

   http://hostname:port/access/oblix
   

   where hostname refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.

   For example, enter the following URL in your web browser:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

2. On the Access System main page, click the Access System Console link, then log in as an Administrator.

3. On the Access System Console main page:

   Click the Access System Configuration tab, then select Host Identifiers.

   Click Add.

4. Specify the following parameters for your host identifier:

   • Name: Name of the host identifier. For example: idmedg_wd

   • Description: A brief description of the host identifier. For example: This is the host identifier for the IDM domain.

   • Hostname variations: All possible hostname variations for this host. Click the plus and minus symbols to add or delete fields as necessary. The Preferred HTTP Host value used in the Access System Configuration must be added as one of the hostname variations. For example: idmedg_wd, webhost1.mycompany.com:7777, admin.mycompany.com

     Note:

     One of the hostname variations provided here will be passed as a value for the web_domain parameter while running the OAM Configuration Tool to enable Single Sign-On. For more information, refer to Section 8.2.2, "Running the OAM Configuration Tool."

   For more information about host identifiers, refer to the Oracle Access Manager Access Administration Guide.

   
   Description of the illustration screenshot73.gif
   
   

5. Click Access System Configuration, then select Add New Access Gate.

6. Specify the following parameters for your WebGate:

   • AccessGate Name: Provide a unique, descriptive name for this WebGate. This is also the WebGate ID or Access Gate ID. For example: WebGate_WebHost1

   • Description: Specify additional descriptive information about the WebGate. This is an optional parameter.

   • Hostname: Specify the name of the computer where the WebGate will be installed. For example: webhost1.mycompany.com

   • Port: Specify the port the WebGate Web server is listening to. This is an optional parameter.

   • AccessGate Password and Re-type AccessGate Password: Enter a password for the WebGate.

   • Transport Security: The level of transport security between the Access Server and associated WebGates. Specify Open (the transport security mode must be the same between all Access Servers and WebGates).

   • Maximum Connections: This parameter is based on how many Access Server connections are defined to each individual Access Server. In this case, the value to be used is 4 (2 connections per access server and there are 2 access servers)

   • Preferred HTTP Host: The value provided for the Preferred HTTP Host must be one of the following:

     • An existing host identifier as provided in step 4 of this section. For example: idmedg_wd

     • SERVER_NAME

     • HOST_HTTP_SERVER

   Click Save.

   
   Description of the illustration screenshot79.gif
   
   

7. Details for the WebGate instance appear, and you are prompted to associate an Access Server or Access Server cluster with the WebGate.

   Note the details on this page for future reference, then click the Back button.

7.4.3.2 Assigning an Access Server to the WebGate

Follow these steps to assign an Access Server to the WebGate:

1. Log in as the Administrator.

2. Navigate to the Details for AccessGate page, if necessary. (From the Access System Console, select Access System Configuration, then AccessGate Configuration, then the link for the WebGate.).

3. On the Details for AccessGate page, click List Access Servers.

4. A page appears with a message that there are no primary or secondary Access Servers currently configured for this WebGate.

   Click Add.

5. On the Add a new Access Server page, select an Access Server from the Select Server list, specify Primary Server, and define 2 connections for the WebGate.

   Click the Add button to complete the association.

6. A page appears, showing the association of the Access Server with the WebGate.

   Click the link to display a summary and print this page for use later.

7. Repeat steps 3 through 6 to associate another Access Server to the WebGate.

7.4.3.3 Installing the WebGate

Follow these steps to install the WebGate on OAMADMINHOST, WEBHOST1, and WEBHOST2:

1. Locate the WebGate Installer on your Oracle Access Manager Software disk and start the installer as shown below. Pass the "-gui" option to bring up the GUI console.

   ./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate -gui
   

2. On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen, click Next.

3. On the Customer Information screen, enter the username and group that the Identity Server will use. The default value for username and group is nobody. For example, enter oracle/oinstall.

   Click Next.

4. Specify the installation directory for Oracle Access Manager Access Server. For example, enter:

   /u01/app/oracle/product/fmw/oam/webgate
   

   Click Next.

   Note:

   The base location for the Oracle Access Manager WebGate installation is /u01/app/oracle/product/fmw/oam/webgate. The WebGate component is installed in a subdirectory automatically created by the installer under this location.

   The WebGate is installed in the access subdirectory created by the installer under the base location.

   The ORACLE_HOME location for the Oracle Access Manager WebGate installation is:

   /u01/app/oracle/product/fmw/oam/webgate/access
   

5. Oracle Access Manager WebGate will be installed in the following location (the access directory is created by the installer automatically):

   /u01/app/oracle/product/fmw/oam/webgate/access
   

   
   Description of the illustration oamwebgate5.gif
   
   

6. Specify the location of the GCC runtime libraries, for example: /home/oracle/oam_lib.

   Click Next.

7. The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.

8. On the WebGate Configuration screen you are prompted for the transport security mode.

   Specify the transport security mode. The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.

   Select Open Mode.

   Click Next.

9. On the next WebGate Configuration screen, specify the following WebGate details:

   • WebGate ID: Specify the unique ID that identifies the WebGate profile in the Access System Console. If the profile was created manually, use the Access Gate Name provided in Section 7.4.3.1, "Creating a WebGate Profile." If the profile was created by the OAM Configuration Tool, use the Access Gate ID that is shown in the output after the tool completes successfully. Refer to Section 8.2.2, "Running the OAM Configuration Tool" for more information.

   • Password for WebGate: Specify the password defined in the Access System Console.

   • Access Server ID: Specify the Access Server associated with the WebGate. For example: AccessServer_OAMHOST1

   • DNS Hostname: Specify the DNS host name where the Access Server associated with this WebGate is installed. For example: oamhost1.mycompany.com

   • Port Number: Specify the listen port for the Access Server.

   Click Next.

   
   Description of the illustration oamwebgate30.gif
   
   

10. On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.

11. On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf file. The httpd.conf file is located under the following directory:

    /u01/app/oracle/admin/ohsInstance/config/OHS/ohsComponentName
    

    For example:

    /u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf
    

    Click Next.

12. On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.

    Click Next.

13. Stop and start your Web server to enable configuration updates to take effect.

    Click Next.

14. On the next Configure Web Server screen, the following message is displayed: "If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up".

    Click Next.

15. On the next Configure Web Server screen, a message with the location of the document that has information on the rest of the product setup and Web Server configuration is displayed.

    Select No and click Next.

16. The final Configure Web Server screen appears with a message to manually launch a browser and open the html document for further information on configuring your Web Server.

    Click Next.

17. The Oracle COREid Readme screen appears. Review the information on the screen and click Next.

18. A message appears (along with the details of the installation) informing you that the installation was successful.

    Click Finish.

19. Restart your Web server.

20. Verify the installation by performing the following steps:

    1. Ensure that the Identity Server, WebPass Web server, Policy Manager and Web Server, Access Server, and WebGate Web Server are running.

    2. Specify the following URL for WebGate diagnostics:

       http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
       

       Where hostname refers to the host where the WebGate instance is running and port refers to HTTP port of the Oracle HTTP Server instance that is associated with the WebGate instance.

       For example, use these URLs for the WebGate on each of the following hosts:

       OAMADMINHOST:
       http(s)://oamadminhost.mycompany.com:7777/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
       
       WEBHOST1:
       http(s)://webhost1.mycompany.com:7777/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
       
       WEBHOST2:
       http(s)://webhost2.mycompany.com:7777/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
       

       The WebGate diagnostic page should appear. If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page.