| Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12002-05 |
|
|
View PDF |
| Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12002-05 |
|
|
View PDF |
After completing the prerequisites, you can set up integration between Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) as follows:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Ensure that the WL_HOME environment variable is set to the wlserver_10.3 directory under your Middleware Home. On UNIX, it is the <MW_HOME>/wlserver_10.3 directory. On Windows, it is the <MW_HOME>\wlserver_10.3 directory. In addition, set the JAVA_HOME environment variable to the directory where the JDK is installed on your machine.
Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under Oracle_IDM2, which is your IDM_Home for Oracle Identity Manager and Oracle Access Manager.
In the ldapconfig.props file, set values for the following parameters:
OIMProviderURL - Specify the URL for the OIM provider in the format: t3://localhost:8003
OIDURL - Specify the URL for the OID instance.
OIDAdminUsername - Specify the OID Administrator's user name, such as cn=orcladmin.
OIDSearchBase - Specify the OID search base, such as ou=people,dc=com.
UserContainerName - Specify the name of the user container, which is used as a default container of roles in the LDAP directory. For example, cn=Users and cn=Groups.
RoleContainerName - Specify the name of the user container, which is used as a default container of users in the LDAP directory.
ReservationContainerName - Specify the name of the user reservation container, which is used to reserve users while waiting for user creation approvals in Oracle Identity Manager. When the user creation is approved, users are moved from the reservation container to the actual user container.
On the command line, run the LDAP configuration pre-setup script (LDAPConfigPreSetup.bat on Windows, and LDAPConfigPreSetup.sh on UNIX). The files are located in the same server/ldap_config_util directory under your IDM_Home for Oracle Identity Manager and Oracle Access Manager.
When prompted, enter the OID administrator's password and the OIM administrator's password.
Tip:
After executing the
LDAPConfigPreSetup script, you can run the following ldapsearch commands on the command line to verify that the necessary schema is created in Oracle Internet Directory:
ldapsearch -p <OIDPORT> -D cn=orcladmin -w <ORCLADMIN_PASSWORD> -h <OIDHOST> -b "cn=subschemasubentry" -s base "objectclass=*" attributetypes | grep ob
ldapsearch -p <OIDPORT> -D cn=orcladmin -w <ORCLADMIN_PASSWORD> -h <OIDHOST> -b "cn=subschemasubentry" -s base "objectclass=*" objectclasses | grep OIM
The above ldapsearch commands should return rows if the LDAPConfigPreSetup script was successfully executed.
Configure Oracle Virtual Directory using Oracle Directory Services Manager to add adapters for users and changelog, as described in Task 2: Configuring OVD and OID for OIM.
Note:
Note that theoamEnabled parameter should be set to true if you are setting up integration between Oracle Identity Manager and Oracle Access Manager. You must do this when you configure the adapters.Start the WebLogic Administration Server in the domain that manages Oracle Identity Manager and Oracle Access Manager. For information about starting the Administration Server, see Starting the Stack.
Update the Single Sign-On (SSO) provider configuration as follows:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the example IDM_Home directory for Oracle Identity Manager and Oracle Access Manager. For more information, see Important Notes Before You Begin.
Use the WebLogic Scripting Tool (WLST) interface to add Oracle Access Manager Single Sign-On service instance and required properties as follows:
On UNIX: Run ./wlst.sh on the command line.
On Windows: Run wlst.cmd.
At the WLST command prompt (wls:/offline>), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the addOAMSSOProvider WLST Online command that adds an OAM SSO provider.
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
Table 21-2 WLST addOAMSSOProvider Command Arguments
| Argument | Description |
|---|---|
|
|
Specifies the URI of the login page. Required. |
|
|
Specifies the URI of the logout page. Optional. If unspecified, defaults to logouturi=NONE. Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class OAMSSOServiceImpl to clear the cookie ObSSOCookie. |
|
|
Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE. |
Tip:
To verify the configuration the Single Sign-On (SSO) provider, complete the following steps:From your present working directory, move to the following directory:
<DOMAIN_HOME>/config/fmwconfig
Open the jps-config.xml file in a text editor.
In this file, you should see the following sets of entries, in addition to the existing entries:
<propertySet name="props.auth.uri.0">
<property value="/oamsso/logout.html" name="logout.url"/>
<property value="/obrar.cgi" name="autologin.url"/>
<property value="/$(app.context}/adfAuthentication" name="login.url.BASIC"/>
<property value="/$(app.context}/adfAuthentication" name="login.url.ANONYMOUS"/>
<property value="/$(app.context}/adfAuthentication" name="login.url.FORM"/>
</propertySet>
<serviceInstance provider="sso.provider.0" name="sso.inst.0"> 1. <property value="oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl" name="sso.provider.class"/>
Restart all Managed Servers and the WebLogic Administration Server in the domain. For more information about stopping the servers, see Stopping the Stack. For information about starting the servers, see Starting the Stack.
Note:
If you have more than one host in the Oracle Identity Management domain, you must update the default value of the primaryAccessServer configuration parameter of the Domain Agent to the actual values.Log in to My Oracle Support website (http://support.oracle.com), and search for the Single Sign-On Server Patch 9824531. Install this patch, as described in the readme file that is included in the patch.
Rewire Oracle Access Manager (OAM) to Oracle Internet Directory (OID) by running the createUserIdentityStore WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the example IDM_Home directory for Oracle Identity Manager and Oracle Access Manager. For more information, see Important Notes Before You Begin.
Use the WebLogic Scripting Tool (WLST) interface to add Oracle Access Manager Single Sign-On service instance and required properties as follows:
On UNIX: Run ./wlst.sh on the command line.
On Windows: Run wlst.cmd.
At the WLST command prompt (wls:/offline>), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore WLST Online command to configure Oracle Access Manager to use Oracle Internet Directory as its LDAP provider, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="testing1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=acme,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=acme,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.
If orcladmin is specified as roleSecAdmin, you may encounter permission problems when you run the RREG tool to register the Oracle HTTP Server 10g Webgate agent instead of the Domain Agent. Therefore, you must provide an appropriate group in Oracle Internet Directory user identity store in order to be able to run RREG to register the Oracle HTTP Server 10g Webgate agent.
You can also use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Tip:
To verify whether Oracle Access Manager is using Oracle Internet Directory as its LDAP provider, complete the following steps:Open the oam-config.xml file in a text editor to verify whether the file contains an entry with the name specified in the createUserIdentityStore WLST command. The XML file is located in the <DOMAIN_HOME>/config/fmwconfig directory.
If this entry is present, verify whether value of the property IsPrimary for this entry is set to true.
Set up an OID authenticator as follows:
Log in to the Oracle WebLogic Administration Console.
In the Domain Structure section on the left navigation pane, click Security Realms. The Summary of Security Realms page is displayed.
In the Change Center section on the left navigation pane, click Lock & Edit.
On this page, click a default realm, such as myrealm. The Settings for myrealm page is displayed.
On this page, click the Providers tab.
Under Authentication Providers, click New. The Create a New Authentication Provider page is displayed.
On this page, enter a name for the provider in the Name text box. For example, test.
Select OracleInternetDirectoryAuthenticator from the Type drop-down list.
Click OK. The new provider test is listed on the Settings for myrealms page.
On this page, click the newly created authentication provider. The Settings for test page is displayed.
On this page, select SUFFICIENT as the Control Flag. Click Save to save the settings.
Exit the Oracle WebLogic Administration Console.
Configure Oracle Access Manager (OAM) for Oracle Identity Manager (OIM) integration as follows:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the example IDM_Home directory for Oracle Identity Manager and Oracle Access Manager. For more information, see Important Notes Before You Begin.
Use the WebLogic Scripting Tool (WLST) interface to add Oracle Access Manager Single Sign-On service instance and required properties as follows:
On UNIX: Run ./wlst.sh on the command line.
On Windows: Run wlst.cmd.
At the WLST command prompt (wls:/offline>), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the configureOIM WLST Online command to configure Oracle Access Manager for OIM integration.
configureOIM(oimHost = "<OIM_Host>" , oimPort = "<OIM_Port>", oimSecureProtocolEnabled = "false", oimAccessGatePwd = "<Password>", oimCookieDomain = "<cookie_domain>")
"<OIM_Host>" and "<OIM_Port>" parameters in this WLST command refer to the Oracle Identity Manager Managed Server of Oracle Identity Manager when you are using the Oracle Identity Management domain agent and a single Oracle Identity Manager instance OIM. If you set secureProtocol to false, HTTP is used. If you set it to true, HTTPS is used.
Note:
When you run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server at a later stage, you are required to enter values for Password for Access Gate and Domain of Cookie fields on the LDAP Sync and OAM screen in the configuration wizard. You must specify the sameoimAccessGatePwd password and oimCookieDomain values.
Similarly, if you wish to use Oracle HTTP Server 10g Webgate for Oracle Access Manager instead of Domain Agent, you must specify the Webgate access password and cookie domain values for oimAccessGatePwd and oimCookieDomain parameters of the configureOIM command. In addition, you must specify the same values for Password for Access Gate and Domain of Cookie fields on the LDAP Sync and OAM screen in the Oracle Identity Manager Configuration Wizard.
For more information, see the LDAP Sync and OAM in the appendix Oracle Identity Manager Configuration Screens that contains descriptions of each screen in the Oracle Identity Manager Configuration Wizard.
Tip:
To verify the configuration of Oracle Access Manager for OIM integration, complete the following steps:Open the oam-config.xml file in a text editor to verify whether the file contains the agent profile entry IdentityManagerAccessGate. The XML file is located in the <DOMAIN_HOME>/config/fmwconfig directory.
In the same file, verify whether the OIM Port is listed in the IdentityManagement/ServerConfiguration section.
Run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server. To start the wizard, go to the bin directory under Oracle_IDM2 (your IDM_ORACLE_HOME for Oracle Identity Manager and Oracle Access Manager) and run the following command on the command line:
On Windows:
config.bat
On UNIX:
./config.sh
Use the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager, as described in Configuring OIM Server. While configuring Oracle Identity Manager Server, ensure that you select the Enable Identity Administration Integration with OAM option on the LDAP Sync and OAM screen.
Note that you must enter the same values oimAccessGatePwd password and oimCookieDomain, specified in the configureOIM WLST command, as input to fields Password of Access Gate and Domain of Cookie on the LDAP Sync and OAM screen.
When you choose to enable Identity Administration Integration with OAM using the Oracle Identity Manager Configuration Wizard, the Enable LDAP Sync option for OIM is selected, by default.
Proceed to complete the configuration of Oracle Identity Manager Server. When prompted, enter the OIM administrator's password and the xelsysadm password.
Tip:
To verify the configuration of Oracle Identity Manager, complete the following steps:Check authenticator configuration as follows:
1) Restart the WebLogic Administration Server. Log in to the WebLogic Server Administration Console.
2) Click Security Realms > myrealm > Providers.
3) Verify whether OAM Identity Asserter and OID Authenticator are listed. In addition, click the Users and Groups tab. Verify if OID users are populated.
Download the oim-config.xml file and verify the Single Sign-On (SSO) configuration information as follows:
1) Start the Oracle Identity Manager Managed Server.
2) Log in to Oracle Enterprise Manager Fusion Middleware ControlOracle Enterprise Manager Fusion Middleware Control using your WebLogic Server administrator credentials.
3) Click Identity and access > oim > oim(version). Right-click and select System MBean Browser. The System MBean Browser page is displayed.
4) Under Application Defined MBeans, select oracle.iam > Server:oim_server1 > Application: oim > XMLConfig > XMLConfig.SSOConfig > SSOConfig.
OAM's access server information used in OIM is displayed. Validate and verify the information.
Shut down the WebLogic Administration Server, as described in Stopping the Stack.
Log in to My Oracle Support website (http://support.oracle.com), and search for the Single Sign-On Server Patch 9449855. Install this patch, as described in the readme file that is included in the patch.
Restart the Administration Server and the Managed Servers (OIM, SOA, and OAM). For information about stopping the servers and then starting the servers, see Stopping the Stack and Starting the Stack.
On the command line, run the LDAP configuration post-setup script (LDAPConfigPostSetup.bat on Windows, and LDAPConfigPostSetup.sh on UNIX). The files are located in the server/ldap_config_util directory under your IDM_Home (Oracle_IDM2) for Oracle Identity Manager and Oracle Access Manager.
The integration between Oracle Identity Manager and Oracle Access Manager using the out-of-the-box Domain Agent is now complete.
|
 Copyright © 2001, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|