| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12035-06 | 
 | 
| 
 | View PDF | 
This chapter describes how to install and configure Oracle Identity Manager 11.1.1 for use in the Oracle Identity Management Enterprise Deployment Topology.
This chapter contains the following topics:
Section 13.2, "Extending the Domain to Configure OIM and Oracle SOA Suite on IDMHOST1"
Section 13.3, "Configuring Oracle Identity Manager on IDMHOST1"
Section 13.4, "Propagating the OIM and SOA Managed Servers to OIMHOST1 and OIMHOST2"
Section 13.5, "Post-Installation Steps on OIMHOST1 and OIMHOST2"
Section 13.8, "Configuring Oracle Identity Manager to Work with the Oracle Web Tier"
Section 13.10, "Configuring a Default Persistence Store for Transaction Recovery"
Section 13.11, "Adding the CSF Entries for Oracle Identity Management and WSM"
Section 13.12, "Backing Up the Application Tier Configuration"
Oracle Identity Manager is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It also improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity Management Suite.
Automating user identity provisioning can reduce Information Technology (IT) administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.
Oracle Identity Manager provides the following key functionalities:
User Administration
Workflow and Policy
Password Management
Audit and Compliance Management
Integration Solutions
User Provisioning
Organization and Role Management
For details about Oracle Identity Manager, see the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.
Before extending the domain with Oracle Identity Manager, ensure that the following tasks have been performed:
Install and upgrade the following software on IDMHOST1, IDMHOST2, OIMHOST1 and OIMHOST2:
WebLogic Server: see Section 4.5.3
Oracle Identity Management Suite: see Section 4.6.3
Oracle SOA Suite: see Section 4.5.5
Configure the Oracle Internet Directory instances, as described inSection 7.1 and Section 7.2.
Extend the domain with Oracle Virtual Directory as described inChapter 8.
Create the Oracle Internet Directory adapter using ODSM, as described in Section 9.6.
Note:
Oracle SOA deployed along with Oracle Identity Manager is used exclusively for Oracle Identity Manager work flow. It cannot be used for other purposes.Although OIM will be deployed on servers dedicated to it (OIMHOST1 and OIMHOST2), the WebLogic domain must first be extended with OIM on IDMHOST1. Configure Oracle Identity Manager on IDMHOST1 as follows.
To extend the domain on IDMHOST1, stop the WebLogic Administration Server and all the managed servers running in the domain. Then start the configuration wizard by executing the command:
MW_HOME/oracle_common/common/bin/config.sh
Proceed as follows
On the Welcome screen, select Extend an existing WebLogic Domain.
Click Next.
On the Select WebLogic Domain Directory screen, select the location of the domain directory for the OIM domain. For Example: /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain.
Click Next.
On the Select Extension Source screen, select Extend my domain automatically to support the following added products. From the list below, select: Oracle Identity Manager.
Note:
Oracle SOA Suite and Oracle WSM Policy Manager are selected automatically.Select Next.
The Configure RAC Multi Data Sources screen displays the schedulerDS Data Source configured for Oracle Directory Integration Platform and Oracle Directory Services manager (ODSM). Do not make any selections or changes on this screen.
Click Next.
On the Configure JDBC Component Schemas screen, select all the data sources listed on the page:
SOA Infrastructure
User Messaging Service
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
OIM Schema
Select Configure selected component schemas as RAC multi data source schemas in the next panel.
Click Next.
On the Configure RAC Multi Data Source Component Schema page, select all the schemas for your component. Do not select schemas listed for previously configured components. Then enter the following information:
Service Name: oimedg.us.oracle.com
For the First Oracle RAC Node:
HostName: oimdb1.us.oracle.com
Instance Name: oimedg1
Port: 1521
For the second Oracle RAC Node (click Add to add an additional row):
HostName: oimdb2.us.oracle.com
Instance Name: oimedg2
Port: 1521
Select each schema individually to enter the user name and password. For example:
| Schema Name | Schema Owner | Password | 
|---|---|---|
| SOA Infrastructure | EDG_SOAINFRA | password | 
| User Messaging Service | EDG_ORASDPM | password | 
| OIM MDS Schema | EDG_MDS | password | 
| OWSM MDS Schema | EDG_MDS | password | 
| SOA MDS Schema | EDG_MDS | password | 
| OIM Infrastructure | EDG_OIM | password | 
Click Next.
Note:
Do not select the OAM Infrastructure Multi Data Source Schema on this screen.On the Test Component Schema screen, the Configuration Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.
Click Next.
On the Select Optional Configuration screen, Select:
JMS Distributed Destination
Managed Servers, Clusters and Machines
Click Next.
On the JMS Distributed Destination screen, make sure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD form the drop down box. Make sure that the entries look like this:
| JMS System Resource | Uniform/Weighted Distributed Destination | 
|---|---|
| UMSJMSSystemResource | UDD | 
| SOAJMSModule | UDD | 
| OIMJMSModule | UDD | 
Click Next.
An Override Warning box with the following message is displayed:
CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This conversion will take place only if the JMS System resource is assigned to a cluster
Click OK on the Override Warning box.
When you first enter the Configure Managed Servers screen, the configuration wizard will have created a default managed server for you. Change the details of the default managed server. In addition, create a new entry by clicking Add. That is, there should be two entries for each OIMHOST in the topology.
For the Oracle Identity Management Managed Servers:
Name: WLS_OIMn where n is a sequential number
Listen Address: The DNS name of the server that will host the managed server
Listen Port: 14000
For the SOA Managed Servers:
Name: WLS_SOAn where n is a sequential number
Listen Address: The DNS name of the server that will host the managed server
Listen Port: 8001
Click Next.
Note:
Do not change the configuration of any managed servers that have already been configured as part of previous application deployments.On the Configure Clusters screen, create two clusters, by clicking Add. Supply the following information:
OIM Cluster:
Name: cluster_oim
Cluster Messaging Mode: unicast
SOA Cluster:·
Name: cluster_soa
Cluster Messaging Mode: unicast
Leave all other fields at the default settings and click Next.
Note:
Do not make any changes to thecluster_oam and the cluster_soa entries.On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.
The cluster_oim will have the managed servers WLS_OIM1 and WLS_OIM2 as members.
The cluster_soa will have the managed servers WLS_SOA1 and WLS_SOA2 as members.
Click Next.
Note:
Do not make any changes to thecluster_oam and the cluster_soa entries.On the Configure Machines screen, create a machine for each host in the topology. Click the tab UNIX if your hosts use Linux or a UNIX-based operating system. Otherwise, click Machines. Supply the following information:
Name: Name of the host. Best practice is to use the DNS name. For example: oimhost1.mycompany.com and oimhost2.mycompany.com for the first and second nodes respectively.
Node Manager Listen Address: DNS name of the machine. For example: oimhost1.mycompany.com and oimhost2.mycompany.com for the first and second nodes respectively.
Node Manager Port: Port for Node Manager
If Oracle Identity Manager has created a local machine entry under the General Machines tab, delete it.
Click Next.
On the Assign Servers to Machines screen, indicate which managed servers will run on each of the machines you created.
Click a machine in the right pane.
Click the managed servers you want to run on that machine in the left pane.
Click the arrow to assign the managed servers to the machines.
Repeat until all managed servers are assigned to machines.
For example:
OIMHOST1: WLS_OIM1 and WLS_SOA1
OIMHOST2: WLS_OIM2 and WLS_SOA2
Click Next to continue.
On the Configuration Summary screen, click Extend to extend the domain.
Stop and Start the Weblogic Administration Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
After you have extended the domain, configure the Oracle Identity Manager and SOA Managed Servers before starting them.
This section contains the following topics:
Section 13.3.1, "Prerequisites for Configuring Oracle Identity Manager"
Section 13.3.2, "Running the Oracle Identity Management Configuration Wizard"
Before configuring Oracle Identity Manager, ensure that the following tasks have been performed:
Configure Oracle Internet Directory using the LDAP configuration pre-setup script, as described in Section 13.3.1.1.
Create the Adapters in Oracle Virtual Directory, as described in Section 13.3.1.2
The Oracle Identity Manager LDAP configuration pre-setup script adds the users, group and schemas required by OIM in OID. The LDAP configuration pre-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. To run the script, follow these steps:
Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:
| Parameter | Value | 
|---|---|
| OIMProviderURL | t3://oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000 | 
| OIDURL | ldap://oidhost1.mycompany.com:389 | 
| OIDAdminUsername | cn=orcladmin | 
| OIDSearchBase | dc=mycompany,dc=com | 
| UserContainerName | cn=Users | 
| RoleContainerName | cn=Roles | 
| ReservationContainerName | cn=Reserved | 
Note:
The OIMProviderURL is not used by the LDAP configuration pre-setup script. It is only used by the LDAP configuration post-setup script.
The OIDURL above refers to the OID URL. Do not substitute the OVD URL.
The script throws a warning message if a container already exists in OID. You can safely ignore this message.
Save the file.
Set the JAVA_HOME and the WL_HOME.
JAVA_HOME=ORACLE_BASE/product/fmw/jdk160_18 WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3
Note:
TheJAVA_HOME must be set to the SUN JDK.Run LDAPConfigPreSetup.sh. The script prompts for the Oracle Internet Directory administrator password and the Oracle Identity Manager administrator password. For example:
Prompt> ./LDAPConfigPreSetup.sh [Enter OID admin password:] [Enter OIM admin password:]
Note:
TheLDAPConfigPre script creates a user called oimadmin with the following DN in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory: dn: cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext. Oracle Identity Manager uses this user for the LDAP sync operations.
You use the credentials for the oimadmin user when you create the adapters in OVD. Please make a note of the password provided here
The Output will be similar to this:
./LDAPConfigPreSetup.sh [Enter OID admin password:] [Enter OIM admin password:] Jun 21, 2010 6:16:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: ./oimadminuser.ldif Jun 21, 2010 6:16:20 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: ./oimcontainers.ldif Jun 21, 2010 6:16:20 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: ../../oam/server/oim-intg/schema/OID_oblix_schema_add.ldif Jun 21, 2010 6:16:48 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: ../../oam/server/oim-intg/schema/OID_oblix_schema_index_add.ldif Jun 21, 2010 6:26:03 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: ../../oam/server/oim-intg/schema/OID_oblix_pwd_schema_add.ldif Jun 21, 2010 6:26:04 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: ../../oam/server/oim-intg/schema/OID_oim_pwd_schema_add.ldif
Validate that the script completed successfully.
OIM used OVD to connect to external LDAP stores. You must create a user adapter and a change log adapter in OVD to enable OIM to connect to the external LDAP store like OID. Follow these steps to create the adapters.
User Adapter
Create the user adapter on the OVD instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.
Start the Administration Server and the WLS_ODSn Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Open a browser and bring up the ODSM console at http://admin.mycompany.com/odsm.
Create connections to each of the OVD instances running on OVDHOST1 and OVDHOST2, if they do not already exist
Connect to each OVD instance by using the appropriate connection entry.
On the Home page, click the Adapter tab.
Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.
Create a new adapter using the New Adapter Wizard, with the following parameters:
Note:
If you created a User Adapter by following Section 9.6, "Creating the Oracle Internet Directory Adapter Using ODSM," skip the steps to create the Adapter and follow the steps to Edit the Adapter.| Screen | Field | Value/Step | 
|---|---|---|
| Type | Adapter Type | LDAP | 
| Adapter Name | User Adapter | |
| Adapter Template | User_OID | |
| Connection | Use DNS Setting | No | 
| Host | oid.mycompany.com | |
| Port | 389 | |
| Server Proxy Bind DN | cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext | |
| Proxy Password | oimadminpassword. This is same as the password provided in Section 13.3.1.1. | |
| Connection Test | Validate that the test succeeds. | |
| Namespace | Remote Base | dc=mycompany,dc=com | 
| Mapped Namespace | dc=mycompany,dc=com | |
| Summary | Verify that the summary is correct and then click Finish. | 
Edit the User Adapter as follows:
Select the OIM User Adapter.
Click the Plug-ins Tab.
Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, update the parameter values as follows:
| Parameter | value | 
|---|---|
| directoryType | oid | 
| pwdMaxFailure | 10 | 
| oamEnabled | true | 
Click OK.
Click Apply.
Change Log Adapter
Create the change log adapter on the OVD instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the Change Log Adapter in OVD using Oracle Directory Services Manager.
Open a browser and bring up the ODSM console at http://admin.mycompany.com/odsm.
Create connections to each of the OVD instances running on OVDHOST1 and OVDHOST2, if they do not already exist.
Connect to an OVD instance by using the appropriate connection entry.
On the Home page, click on the Adapter tab.
Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.
Create a new adapter using the New Adapter Wizard, with the following parameters:
| Screen | Field | Value/Step | 
|---|---|---|
| Type | Adapter Type | LDAP | 
| Adapter Name | OIM Change Log Adapter | |
| Adapter Template | Changelog_OID | |
| Connection | Use DNS Setting | No | 
| Host | oid.mycompany.com | |
| Port | 389 | |
| Server Proxy Bind DN | cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext | |
| Proxy Password | oimadminpassword. This is same as the password provided in Section 13.3.1.1. | |
| Connection Test | Validate that the test succeeds. | |
| Naming Space | Remote Base | cn=changelog | 
| Mapped Namespace | cn=changelog | |
| Summary | Verify that the summary is correct, then click Finish. | 
To edit the change adapter follow these steps.
Select the OIM Change Log Adapter.
Click the Plug-ins tab.
In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.
In the Parameters table, update the parameter values.
Click OK.
Click Apply.
Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the mapObjectclass, modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.
| Parameter | Value | 
|---|---|
| directoryType | oid | 
| mapAttribute | targetGUID=orclGUID | 
| mapObjectclass | changelog=changelogentry | 
| requiredAttribute | orclGUID | 
| addAttribute | orclContainerOC,changelogSupported=1 | 
| modifierDNFilter | cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext | 
| sizeLimit | 1000 | 
| targetDNFilter | dc=mycompany,dc=comSearch based from which reconciliation needs to happen. This value must be the same as the LDAP SearchDN that is specified during OIM installation. | 
| mapUserState | true | 
| oamEnabled | true | 
Stopping and Starting Oracle Internet Directory and Oracle Virtual Directory
Stop and Start:
The OVD instances running on both OVDHOST1 and OVDHOST2.
The OID instances running on both OIDHOST1 and OIDHOST2.
as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
You must configure the OIM server instances before you can start the OIM and SOA Managed Servers. The Oracle Identity Management Configuration Wizard loads the OIM metadata into the database and configures the instance.
Before proceeding, ensure that the following are true:
The administration server is up and running.
The environment variables DOMAIN_HOME and WL_HOME are not set in the current shell.
The Oracle Identity Management Configuration Wizard is located under the Identity Management Oracle home. Type:
IAM_ORACLE_HOME/bin/config.sh
Proceed as follows:
On the Welcome screen, click Next
On the Components to Configure screen, Select OIM Server and OIM Remote Manager.
Click Next.
On the Database screen, provide the following values:
Connect String: The connect string for the OIM database. For example:
oimdb1-vip.mycompany.com:1521:oimedg1^oimdb2-vip.mycompany.com:1521:oimedg2@oimedg.mycompany.com
OIM Schema User Name: edg_oim
OIM Schema password: password
MDS Schema User Name: edg_mds
MDS Schema Password: password
Select Next.
On the WebLogic Administration Server screen, provide the following details for the WebLogic Admin Server:
URL: The URL to connect to the WebLogic Administration Server. For example: t3://adminvhn.mycompany.com:7001
UserName: weblogic
Password: Password for the weblogic user
Click Next.
On the OIM Server screen, provide the following values:
OIM Administrator Password: Password for the OIM Administrator. This is the password for the xelsysadm user.
Confirm Password: Confirm the password·
OIM HTTP URL: Proxy URL for the OIM Server. This is the URL for the Hardware load balancer that is front ending the OHS servers for OIM. For example: http://oiminternal.mycompany.com:80.
Key Store Password: Key store password. The password must have an uppercase letter and a number. For example: MyPassword1
Click Next.
On the LDAP Sync and OAM screen, select Configure BI Publisher and provide the BI Publisher URL. Enter the URL to connect to the BI Publisher in your environment.
Select Enable LDAP Sync
Notes:
Do not select Enable Identity Administration Integration with OAM. This will be configured later.
BI Publisher is not a part of the IDMDomain. The steps to configure the BI Publisher are not covered in this Enterprise Deployment Guide.
Click Next.
On the LDAP Server screen, provide the following LDAP server details:
LDAP URL: The URL to access the LDAP server. For example: ldap://ovd.mycompany.com:389
LDAP User: The username to connect to the LDAP Server. For example: cn=orcladmin·
LDAP Password: The password to connect to the LDAP server.
LDAP SearchDN: The Search DN. For example: dc=mycompany,dc=com.
Click Next.
On the LDAP Server Continued screen, provide the following LDAP server details:
LDAP Role Container: The DN for the Role Container. This is the container where the OIM roles are stored. For example: cn=Roles,dc=mycompany,dc=com ·
LDAP User Container: The DN for the User Container. This is the container where the OIM users are stored. For example: cn=Users,dc=mycompany,dc=com·
User Reservation Container: The DN for the User Reservation Container. For example: cn=Reserved,dc=mycompany,dc=com.
Note:
These container values should be the same as those used inLDAPConfigPreSetup.sh.Click Next.
On the Remote Manager screen, provider the following values:
Service Name: EDG_RManager
RMI Registry Port: 12345
Listen Port (SSL): 12346
On the Configuration Summary screen, verify the summary information.
Click Configure to configure the Oracle Identity Manager instance
On the Configuration Progress screen, once the configuration completes successfully, click Next.
On the Configuration Complete screen, view the details of the Oracle Identity Manager Instance configured.
Click Finish to exit the Configuration Assistant.
Stop the WebLogic Administration Server and all the managed servers running in the domain, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the WebLogic Administration Server and all the managed servers running in the domain, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Once the configuration has succeeded on IDMHOST1, you can propagate the configuration to OIMHOST1 and OIMHOST2. You do this by packing the domain on IDMHOST1 and unpacking it on OIMHOST1 and OIMHOST2.
Follow these steps to propagate the domain to IDMHOST1.
Invoke the pack utility from MW_HOME/oracle_common/common/bin/.
./pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=/u01/app/oracle/admin/templates/oim_domain.jar -template_name="OIM Domain" -managed=true
This creates a file called oim_domain.jar in the /u01/app/oracle/admin/templates directory. Copy this file to OIMHOST1 and OIMHOST2.
On OIMHOST1, invoke the utility unpack, which is also located in the directory MW_HOME/oracle_common/common/bin/.
./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
On OIMHOST2, invoke the utility unpack, which is also located in the directory MW_HOME/oracle_common/common/bin/.
./unpack.sh -domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain -template=/u01/app/oracle/product/fmw/templates/oim_domain.jar -overwrite_domain=true -app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
Copy the soa directory located under the /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain directory on IDMHOST1 to the /u01/app/oracle/admin/IDMDomain/mserver/IDMDomain directory on OIMHOST1 and OIMHOST2
To copy the soa directory from IDMHOST1 to OIMHOST1:
scp -rp /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/soa user@OIMHOST1:/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/soa
To Copy the soa directory from IDMHOST1 to OIMHOST2:
scp -rp /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain/soa user@OIMHOST1:/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain/soa
This section describes post-installation steps.
This section contains the following topics:
Section 13.5.1, "Updating the Coherence Configuration for the SOA Managed Server"
Section 13.5.2, "Starting the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1"
Section 13.5.3, "Validating Oracle Identity Manager Instance on OIMHOST1"
Follow these steps to update the Coherence Configuration for the WLS_SOA Server.
Log into the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Environment node.
Click Servers. The Summary of Servers page appears.
Click the name of the server in the Name column of the table. The settings page for the selected server appears.
Click the Server Start tab.
Enter text into the Arguments field for WLS_SOA1 and WLS_SOA2.
For WLS_SOA1, enter the following text on a single line, without a carriage return:
-Dtangosol.coherence.wka1=oimhost1vhn1.mycompany.com -Dtangosol.coherence.wka2=oimhost2vhn1.mycompany.com -Dtangosol.coherence.localhost=oimhost1vhn1.mycompany.com
For WLS_SOA2, enter the following text on a single line, without a carriage return:
-Dtangosol.coherence.wka1=oimhost1vhn1.mycompany.com -Dtangosol.coherence.wka2=oimhost2vhn1.mycompany.com -Dtangosol.coherence.localhost=oimhost2vhn1.mycompany.com
Note:
The Coherence cluster used for deployment uses port 8088 by default. You can change this port by specifying a different port (for example, 8089) with the-Dtangosol.coherence.wkan.port and -Dtangosol.coherence.localport startup parameters. For example:
For WLS_SOA1 (on a single line):
-Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost1vhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
For WLS_SOA2 (on a single line):
-Dtangosol.coherence.wka1=oimhost1vhn1 -Dtangosol.coherence.wka2=oimhost2vhn1 -Dtangosol.coherence.localhost=oimhost2vhn1 -Dtangosol.coherence.localport=8089 -Dtangosol.coherence.wka1.port=8089 -Dtangosol.coherence.wka2.port=8089
Click Save and activate the changes.
Note:
The multicast and unicast addresses are different from the ones used by the WebLogic Server cluster for cluster communication. SOA guarantees that composites are deployed to members of a single WebLogic Server cluster even though the communication protocol for the two entities (the WebLogic Server cluster and the groups to which composites are deployed) are different.Do not copy the text from this section to your Administration Console's arguments text field. Doing so can cause HTML tags to be inserted in the Java arguments. The text should not include any text or characters other than the ones shown.
Follow this sequence of steps to start the WLS_OIM1 and WLS_SOA1 Managed Servers on OIMHOST1:
Stop the WebLogic Administration Server on IDMHOST1 by using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the Administration Server on IDMHOST1 using the node manager, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate that the Administration Server started up successfully by bringing up the Oracle WebLogic Administration Console.
Start NodeManager on OIMHOST1. Create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.
Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled be set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.
prompt> MW_HOME/oracle_common/common/binprompt> ./setNMProps.sh
Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components" so that the properties take effect.
Start the WLS_SOA1 managed server, using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the WLS_OIM1 managed server using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser at: http://oimhost1.mycompany.com:14000/oim/self.
Log in using the xelsysadm username and password.
Note:
When you log in for the first time, you will prompted to setup Challenge Questions. Please do so before proceeding further.This section describes the post-installation steps on OIMHOST2.
This section contains the following topics:
Section 13.6.2, "Starting the WLS_OIM2 and WLS_SOA2 Managed Servers on OIMHOST2"
Section 13.6.3, "Validating Oracle Identity Manager Instance on OIMHOST2"
Start the Node Manager on OIMHOST2 to create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.
Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.
prompt>  MW_HOME/oracle_common/common/bin
prompt> ./setNMProps.sh
Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"so that the properties take effect.
Follow this sequence of steps to start the WLS_OIM1 Managed Server on OIMHOST1:
Start the WLS_SOA2 managed server, using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start the WLS_OIM2 managed server using the WebLogic Administration Console as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser at: http://oimhost2.mycompany.com:14000/oim/.
Log in using the xelsysadm username and password
The OIM LDAP configuration post-setup script updates the OIM LDAP Sync scheduled jobs with the last change number from OID. The LDAP configuration post-setup script is located under the IAM_ORACLE_HOME/server/ldap_config_util directory. Run the Script on IDMHOST1, as follows:
Edit the ldapconfig.props file located under the IAM_ORACLE_HOME/server/ldap_config_util directory and provide the following values:
| Parameter | Value | 
|---|---|
| OIMProviderURL | t3://oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000 | 
| OIDURL | ldap://oidhost1.mycompany.com:389 | 
| OIDAdminUsername | cn=orcladmin | 
| OIDSearchBase | dc=mycompany,dc=com | 
| UserContainerName | cn=Users | 
| RoleContainerName | cn=Roles | 
| ReservationContainerName | cn=Reserved | 
Note:
usercontainerName, rolecontainername, and reservationcontainername are not used in this step.
These values might have already been set when you ran the LDAPConfigPreSetup.sh script in Section 13.3.1.1.
Save the file.
Set the JAVA_HOME and WL_HOME:
JAVA_HOME=ORACLE_BASE/product/fmw/jdk160_18WL_HOME=ORACLE_BASE/product/fmw/wlserver_10.3
Note:
TheJAVA_HOME must be set to the SUN JDK.Run LDAPConfigPostSetup.sh. The script prompts for the OID Admin Password and the OIM Admin Password. For example:
Prompt> ./LDAPConfigPostSetup.sh [Enter OID admin password: ] [Enter password for xelsysadm: ]
This section describes how to configure Oracle Identity Manager to work with the Oracle Web Tier.
This section contains the following topics:
Section 13.8.2, "Configuring Oracle HTTP Servers to Front End the OIM & SOA Managed Servers."
Section 13.8.4, "Validating Oracle Identity Manager Instance from the WebTier"
Before configuring Oracle Identity Manager to work with the Oracle Web Tier, ensure that the following tasks have been performed:
Install Oracle Web Tier on WEBHOST1 and WEBHOST2.
Install and configure Oracle Identity Manageron IDMHOST1 and IDMHOST2.
Configure the load balancer with a virtual hostname (sso.mycompany.com) pointing to the web servers on WEBHOST1 and WEBHOST2.
Configure the load balancer with a virtual hostname (admin.mycompany.com) pointing to web servers WEBHOST1 and WEBHOST2.
On each of the web servers on WEBHOST1 and WEBHOST2, create a file called oim.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. This file must contain the following information:
# oim admin console(idmshell based)
   <Location /admin>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
 
# oim self and advanced admin webapp consoles(canonic webapp)
 
  <Location /oim>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
# SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
  <Location /sodcheck>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:8001,oimhost2.us.oracle.com:8001
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
  <Location /workflowservice>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>
# xlWebApp - Legacy 9.x webapp (struts based)
   <Location /xlWebApp>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>
# Nexaweb WebApp - used for workflow designer and DM
  <Location /Nexaweb>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>
# used for FA Callback service.
  <Location /callbackResponseService>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>
# spml xsd profile
  <Location /spml-xsd>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>
  <Location /HTTPClnt>
    SetHandler weblogic-handler
    WLCookieName    oimjsessionid
    WebLogicCluster 
oimhost1.us.oracle.com:14000,oimhost2.us.oracle.com:14000
    WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
  </Location>
Save the file on both WEBHOST1 and WEBHOST2.
Stop and start the Oracle HTTP Server instances on both WEBHOST1 and WEBHOST2 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately.
To do this, log into the WebLogic administration console at http://admin.mycompany.com/console. Proceed as follows:
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click Lock and Edit in the Change Center Window to enable editing.
Click the Cluster Name (cluster_soa).
In the General tab, select WebLogic Plug-in Enabled in the Advanced Properties section.
Click Save.
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click the Cluster Name (cluster_oim).
In the General tab, select WebLogic Plug-in Enabled in the Advanced Properties section.
Click Save.
Click Activate Changes in the Change Center window to enable editing.
Validate the Oracle Identity Manager Server Instance by bringing up the OIM Console in a web browser. at: http://sso.mycompany.com/oim. Log in using the xelsysadm username and password.
Note:
If you have installed Oracle Access Manager 11g, you might have to log in twice, first as an OAM administrative user, such asoamadmin, at the OAM login page, then as xelsysadm at the OIM login page.You must configure a shared JMS persistence store to enable the resumption of pending JMS messages. Specify a location on a NAS or SAN storage device that is available to other servers in the cluster. Refer to Section 2.4, "Shared Storage and Recommended Directory Structure" for more information. Configure the location for all of the persistence stores as a directory that is visible from both nodes and change all of the persistent stores to use this shared base directory.
Follow these steps to configure a Shared JMS Persistence Store:
Log in to the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Services node and then click the Persistence Stores node. The Summary of Persistence Stores page is displayed.
Select the persistence store (represented as a hyperlink) from the Name column of the table. The Settings page for the persistence store is displayed.
On the Configuration tab, in the Directory field, enter the location of a persistent storage solution (such as NAS or SAN) that is available to other servers in the cluster. Specifying this location enables pending JMS messages to be sent.
The location should have the following directory structure:
For the SOAJMSFileStore_auto_1, SOAJMSFileStore_auto_2, UMSJMSFileStore_auto_1, and UMSJMSFileStore_auto_2 persistence stores, use a directory structure similar to ORACLE_BASE/admin/domain_name/soa_cluster_name/jms.
For the OIMJMSFileStore_auto_1 and OIMJMSFileStore_auto_2 persistence stores use a directory structure similar to ORACLE_BASE/admin/domain_name/oim_cluster_name/jms.
Note:
The WLS_OIM1 and WLS_OIM2 servers must be able to access this directory.
The WLS_SOA1 and WLS_SOA2 servers must be able to access this directory.
This directory must exist before you restart the server.
Click Save to save the changes.
Repeat for each persistence store.
Click Activate Changes from the change center.
Do not restart the OIM and SOA managed servers. They will be restarted after performing the steps in Section 13.10, "Configuring a Default Persistence Store for Transaction Recovery."
The WLS_OIM and WLS_SOA Managed Servers have a transaction log that stores information about committed transactions that are coordinated by the server that might not have been completed. The WebLogic Server uses this transaction log for recovery from system crashes or network failures. To leverage the migration capability of the Transaction Recovery Service for the servers within a cluster, store the transaction log in a location accessible to a server and its backup servers.
Note:
Preferably, this location should be on a dual-ported SCSI disk or on a Storage Area Network (SAN).Perform these steps to set the location for the default persistence stores for the OIM and SOA Servers:
Log in to the Oracle WebLogic Server Administration Console.
Click Lock and Edit.
In the Domain Structure window, expand the Environment node and then click the Servers node.
The Summary of Servers page is displayed.
Click the name of either the OIM or the SOA server (represented as a hyperlink) in the Name column of the table.
The Settings page for the selected server is displayed, and defaults to the Configuration tab.
Open the Services sub tab.
In the Default Store section of the page, enter the path to the folder where the default persistent stores will store its data files. The directory structure of the path is as follows:
For OIM Servers: ORACLE_BASE/admin/domain_name/oim_cluster_name/tlogs
For SOA Servers: ORACLE_BASE/admin/domain_name/soa_cluster_name/tlogs
Note:
To enable migration of the Transaction Recovery Service, specify a location on a persistent storage solution that is available to other servers in the cluster. All the servers that are a part of the cluster must be able to access this directory.Click Save and Activate.
Restart the OIM and SOA managed servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," to make the changes take effect.
If you extend your domain with Oracle Identity Manager after the domain has been associated with an external LDAP store, the OIM configuration wizard does not populate the Credential Store Framework with the appropriate key-value pairs required for the Oracle Identity Manager and Oracle SOA Suite managed servers to start up. To work around this issue, you must create the required entries manually, by using Oracle Enterprise Manager Fusion Middleware Control. This is a temporary workaround.
Follow these steps to create the entries:
Open a browser and bring up Fusion Middleware Control at: http://admin.mycompany.com/em.
Log in as the Weblogic user.
Expand Farm_DomainName in the left pane and navigate to Weblogic Domain > Domain Name. For Example if IDMDomain is the name your domain, navigate to Farm_IDMDomain > Weblogic Domain > IDMDomain
The IDMDomain Page appears in the right pane.
Navigate to IDMDomain > Security > Credential to bring up the Credentials Page.
On the Credentials page, Click Create Map to create a map. Create a map called oim for the Oracle Identity Manager entries and a map called oracle.wsm.security for the WSM entries.
Create the entries for the maps in the table. Select the map where you want to add entries and click Create Key to create a key.
Enter the following values on the Create Key page:
Select Map: Map Name
Key: Key Name
Type: Password
User Name: User Name
Password: Password
Description: Description for the Key
Click OK.
Refer to the following table to create the keys required for Oracle Identity Manager and the oracle.wsm.security maps.
| Select Map | Key | Type | User Name | Password | 
|---|---|---|---|---|
| oim | OIMSchemaPassword | Password | OIMSchemaPassword | Password for OIM DB | 
| oim | xell | Password | xell | Password for Keystore | 
| oim | DataBaseKey | Password | DataBaseKey | Password for Keystore | 
| oim | JMSKey | Password | JMSKey | Password for Keystore | 
| oim | .xldatabasekey | Password | .xldatabasekey | Password for Keystore | 
| oim | default-keystore.jks | Password | default-keystore.jks | Password for Keystore | 
| oim | SOAAdminPassword | Password | SOAAdminPassword | Password for Keystore | 
| oracle.wsm.security | keystore-csf-key | Password | owsm | Password for weblogic user | 
| oracle.wsm.security | enc-csf-key | Password | xell | Password for Keystore | 
| oracle.wsm.security | sign-csf-key | Password | xell | Password for Keystore | 
| oracle.wsm.security | recipient-alias-key | Password | xell | not used | 
Password For Key Store is the key store password provided when running the OIM Configuration Wizard
Stop and Start the Administration Server.
Start the Oracle Identity Management and Oracle SOA Suite Managed Servers using the WebLogic Admin Console.
The Oracle Identity Management and Oracle SOA Suite Managed Servers start up correctly after you create the maps.
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to the Oracle Database Backup and Recovery Advanced User's Guide.
To back up the installation to this point, follow these steps:
Back up the web tier as described in Section 5.6, "Backing up the Web Tier Configuration."
Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. You can also use operating system tools such as tar for cold backups.
Back up the Administration Server domain directory as described in Section 6.14, "Backing Up the WebLogic Domain."
Back up the Oracle Internet Directory as described in Section 7.5, "Backing up the OID Configuration."
Back up the Oracle Virtual Directory as described in Section 8.5, "Backing Up the Oracle Virtual Directory Configuration."
For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."