21 Integration Between OIM and OAM

This chapter describes how to set up integration between Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).

It includes the following topics:

Overview
Important Notes Before You Begin
Task Roadmap
Prerequisites
Introduction to WebLogic Server Domain Agent
Setting Up Integration Between OIM and OAM Using the Domain Agent
Verifying the Configuration
Using Oracle HTTP Server 10g Webgate for Oracle Access Manager 11g

21.1 Overview

For an overview of Oracle Identity Management suite-level integration scenarios, see the guide Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite.

This chapter describes how to set up the integration using the WebLogic Server Domain Agent.

Note:

However, you can migrate from the Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager if you wish to protect partner applications outside of the WebLogic domain.

See chapter Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for OAM for more information.

21.2 Important Notes Before You Begin

Before you start installing and configuring Oracle Identity Management products in any of the scenarios discussed in this chapter, keep the following points in mind:

It is assumed that you are installing Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator on the same machine.

Note:
In this chapter, two IDM_Home directories are mentioned in the descriptions and procedures. For example, the first one, Oracle_IDM1 can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, Oracle_IDM2 can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.
However, note that Oracle_IDM1 and Oracle_IDM2 are used as examples in this document. You can specify any name for either of your IDM_Home directories. In addition, you can install the two Oracle Identity Management suites (one containing Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation; another containing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator) in any order on your machine.

If you choose to use the default names, the first installation creates an Oracle_IDM1 directory, and the second installation creates an Oracle_IDM2 directory.

If you have not installed Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, or Oracle Identity Federation on the same machine where you are installing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator, then you will see a single IDM_Home directory, such as Oracle_IDM1, under your MW_HOME directory.

For more information, see Overview and Structure of Oracle Identity Management 11g Installation.
By performing the domain configuration procedures described in this chapter, you can create Managed Servers on a local machine (the machine on which the Administration Server is running). However, you can create and start Managed Servers for Oracle Identity Management components on a remote machine. For more information, see the "Creating and Starting a Managed Server on a Remote Machine" topic in the guide Oracle Fusion Middleware Creating Templates and Domains Using the Pack and Unpack Commands.
You must use the Oracle Identity Manager Configuration Wizard to configure only Oracle Identity Manager Server, Oracle Identity Manager Design Console (on Windows only), and Oracle Identity Manager Remote Manager.

You must complete this additional configuration for Oracle Identity Manager components after configuring Oracle Identity Manager in a new or existing WebLogic administration domain. For more information, see OIM Domain Configuration Scenarios.

If you are configuring Oracle Identity Manager Server, you must run the Oracle Identity Manager configuration wizard on the machine where the Administration Server is running. For configuring the Server, you can run the wizard only once during the initial setup of the Server. After the successful setup of Oracle Identity Manager Server, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.

Note that Oracle Identity Manager requires Oracle SOA Suite 11g (11.1.1.3.0), which should be exclusive to Oracle Identity Management. You must install Oracle SOA Suite before configuring Oracle Identity Manager. If you are setting up integration between Oracle Identity Manager and Oracle Access Manager, ensure that Oracle Identity Manager, Oracle Access Manager, and Oracle SOA Suite are configured in the same domain.

21.3 Task Roadmap

Table 21-1 Task Roadmap

Task	For More Information
Install Oracle Database	Installing Oracle Database
Create and load database schemas	Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)
Install Oracle WebLogic Server 10.3.3 and create a Middleware Home	Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1.3.0) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed	Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0)
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain	OID and OVD with ODSM in a New WebLogic Domain
On the command line, use the cd command to move from your present working directory to the following directory: On UNIX: `<WL_HOME>/server/lib` On Windows: `<WL_HOME>\server\lib`
At the command prompt, run the following command: `<full path to the directory where java is installed>/java -jar wljarbuilder.jar`	This command generates a library, which is required by all WebLogic Server application clients.
Install Oracle Identity Management 11g Release 1 (11.1.1.3.0) suite containing Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)	Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0)
Configure Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) in a new or existing WebLogic administration domain	OIM with LDAP Sync, and OAM
Set Up Integration Between OIM and OAM Using the Domain Agent	Setting Up Integration Between OIM and OAM Using the Domain Agent
Verify the Configuration	Verifying the Configuration

21.4 Prerequisites

You must complete the following prerequisites for setting up integration between Oracle Identity Manager and Oracle Access Manager:

Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and create a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).

An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).

For more information, see Important Notes Before You Begin.
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
On the command line, use the cd command to move from your present working directory to the following directory:

On UNIX: <WL_HOME>/server/lib

On Windows: <WL_HOME>\server\lib

Note:
WL_HOME is the path to the wlserver_10.3 directory under the directory where you have installed Oracle WebLogic Server 10.3.3 before installing Oracle Identity Manager.
At the command prompt, run the following command:

<full path to the directory where java is installed>/java -jar wljarbuilder.jar

This command generates a library, which is required by all WebLogic Server application clients.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM) and Oracle Access Manager (OAM), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).

An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).

For more information, see Important Notes Before You Begin.
Configure Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) in a new or existing WebLogic administration domain, as described in OIM with LDAP Sync, and OAM. Note that Oracle Identity Manager and Oracle Access Manager must be in the same WebLogic domain. By default, this domain is located in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory. The path to this domain directory is referred to as DOMAIN_HOME in this chapter.

However, do not set up LDAP Sync for Oracle Identity Manager at this stage. In addition, do not run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server at this stage.

21.5 Introduction to WebLogic Server Domain Agent

The WebLogic Server Domain Agent, referred to as Domain Agent in this chapter, provides out-of-the-box access protection for applications deployed in a WebLogic administration domain. This agent is enabled, by default. The agent is suitable for Oracle Identity Management environments where access protection of external applications or partners is not necessary.

The out-of-the-box agent provides the following features for applications deployed in a WebLogic domain:

Authentication policy enforcement
Authorization policy enforcement
Front-channel authentication
Identity assertion
Back-channel anonymous authentication
Session validation
Logout

21.6 Setting Up Integration Between OIM and OAM Using the Domain Agent

After completing the prerequisites, you can set up integration between Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) as follows:

Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Ensure that the WL_HOME environment variable is set to the wlserver_10.3 directory under your Middleware Home. On UNIX, it is the <MW_HOME>/wlserver_10.3 directory. On Windows, it is the <MW_HOME>\wlserver_10.3 directory. In addition, set the JAVA_HOME environment variable to the directory where the JDK is installed on your machine.
Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under Oracle_IDM2, which is your IDM_Home for Oracle Identity Manager and Oracle Access Manager.
In the ldapconfig.props file, set values for the following parameters:
- OIMProviderURL - Specify the URL for the OIM provider in the format: t3://localhost:8003
- OIDURL - Specify the URL for the OID instance.
- OIDAdminUsername - Specify the OID Administrator's user name, such as cn=orcladmin.
- OIDSearchBase - Specify the OID search base, such as ou=people,dc=com.
- UserContainerName - Specify the name of the user container, which is used as a default container of roles in the LDAP directory. For example, cn=Users and cn=Groups.
- RoleContainerName - Specify the name of the user container, which is used as a default container of users in the LDAP directory.
- ReservationContainerName - Specify the name of the user reservation container, which is used to reserve users while waiting for user creation approvals in Oracle Identity Manager. When the user creation is approved, users are moved from the reservation container to the actual user container.
On the command line, run the LDAP configuration pre-setup script (LDAPConfigPreSetup.bat on Windows, and LDAPConfigPreSetup.sh on UNIX). The files are located in the same server/ldap_config_util directory under your IDM_Home for Oracle Identity Manager and Oracle Access Manager.
When prompted, enter the OID administrator's password and the OIM administrator's password.

Tip:
After executing the LDAPConfigPreSetup script, you can run the following ldapsearch commands on the command line to verify that the necessary schema is created in Oracle Internet Directory:
ldapsearch -p <OIDPORT> -D cn=orcladmin -w <ORCLADMIN_PASSWORD> -h <OIDHOST> -b "cn=subschemasubentry" -s base "objectclass=*" attributetypes | grep ob

ldapsearch -p <OIDPORT> -D cn=orcladmin -w <ORCLADMIN_PASSWORD> -h <OIDHOST> -b "cn=subschemasubentry" -s base "objectclass=*" objectclasses | grep OIM

The above ldapsearch commands should return rows if the LDAPConfigPreSetup script was successfully executed.
Configure Oracle Virtual Directory using Oracle Directory Services Manager to add adapters for users and changelog, as described in Task 2: Configuring OVD and OID for OIM.

Note:
Note that the oamEnabled parameter should be set to true if you are setting up integration between Oracle Identity Manager and Oracle Access Manager. You must do this when you configure the adapters.
Start the WebLogic Administration Server in the domain that manages Oracle Identity Manager and Oracle Access Manager. For information about starting the Administration Server, see Starting the Stack.

Update the Single Sign-On (SSO) provider configuration as follows:

On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the example IDM_Home directory for Oracle Identity Manager and Oracle Access Manager. For more information, see Important Notes Before You Begin.

Use the WebLogic Scripting Tool (WLST) interface to add Oracle Access Manager Single Sign-On service instance and required properties as follows:

On UNIX: Run ./wlst.sh on the command line.

On Windows: Run wlst.cmd.

At the WLST command prompt (wls:/offline>), type the following:

connect()

You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

Run the addOAMSSOProvider WLST Online command that adds an OAM SSO provider.

addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")

Table 21-2 WLST addOAMSSOProvider Command Arguments

Argument Description

Argument	Description
`loginuri`	Specifies the URI of the login page. Required.
`logouturi`	Specifies the URI of the logout page. Optional. If unspecified, defaults to logouturi=NONE. Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class OAMSSOServiceImpl to clear the cookie ObSSOCookie.
`autologinuri`	Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE.

loginuri

Specifies the URI of the login page. Required.

logouturi

Specifies the URI of the logout page. Optional. If unspecified, defaults to logouturi=NONE.

Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class OAMSSOServiceImpl to clear the cookie ObSSOCookie.

autologinuri

Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE.

Tip:

To verify the configuration the Single Sign-On (SSO) provider, complete the following steps:

From your present working directory, move to the following directory:

<DOMAIN_HOME>/config/fmwconfig
Open the jps-config.xml file in a text editor.

In this file, you should see the following sets of entries, in addition to the existing entries:

<propertySet name="props.auth.uri.0">
             <property value="/oamsso/logout.html" name="logout.url"/>
             <property value="/obrar.cgi" name="autologin.url"/>
             <property value="/$(app.context}/adfAuthentication" name="login.url.BASIC"/>
             <property value="/$(app.context}/adfAuthentication" name="login.url.ANONYMOUS"/>
             <property value="/$(app.context}/adfAuthentication" name="login.url.FORM"/>
</propertySet>

<serviceInstance provider="sso.provider.0" name="sso.inst.0">   1. <property value="oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl" name="sso.provider.class"/>

Restart all Managed Servers and the WebLogic Administration Server in the domain. For more information about stopping the servers, see Stopping the Stack. For information about starting the servers, see Starting the Stack.

Note:

If you have more than one host in the Oracle Identity Management domain, you must update the default value of the primaryAccessServer configuration parameter of the Domain Agent to the actual values.

Log in to My Oracle Support website (http://support.oracle.com), and search for the Single Sign-On Server Patch 9824531. Install this patch, as described in the readme file that is included in the patch.
Rewire Oracle Access Manager (OAM) to Oracle Internet Directory (OID) by running the createUserIdentityStore WLST command:

On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the example IDM_Home directory for Oracle Identity Manager and Oracle Access Manager. For more information, see Important Notes Before You Begin.

Use the WebLogic Scripting Tool (WLST) interface to add Oracle Access Manager Single Sign-On service instance and required properties as follows:

On UNIX: Run ./wlst.sh on the command line.

On Windows: Run wlst.cmd.

At the WLST command prompt (wls:/offline>), type the following:

connect()

You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

Run the createUserIdentityStore WLST Online command to configure Oracle Access Manager to use Oracle Internet Directory as its LDAP provider, as in the following example:

createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="testing1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=acme,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=acme,dc=com")

Note:
Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.
If orcladmin is specified as roleSecAdmin, you may encounter permission problems when you run the RREG tool to register the Oracle HTTP Server 10g Webgate agent instead of the Domain Agent. Therefore, you must provide an appropriate group in Oracle Internet Directory user identity store in order to be able to run RREG to register the Oracle HTTP Server 10g Webgate agent.

You can also use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Tip:
To verify whether Oracle Access Manager is using Oracle Internet Directory as its LDAP provider, complete the following steps:
1. Open the oam-config.xml file in a text editor to verify whether the file contains an entry with the name specified in the createUserIdentityStore WLST command. The XML file is located in the <DOMAIN_HOME>/config/fmwconfig directory.
2. If this entry is present, verify whether value of the property IsPrimary for this entry is set to true.
Set up an OID authenticator as follows:
1. Log in to the Oracle WebLogic Administration Console.
2. In the Domain Structure section on the left navigation pane, click Security Realms. The Summary of Security Realms page is displayed.
3. In the Change Center section on the left navigation pane, click Lock & Edit.
4. On this page, click a default realm, such as myrealm. The Settings for myrealm page is displayed.
5. On this page, click the Providers tab.
6. Under Authentication Providers, click New. The Create a New Authentication Provider page is displayed.
7. On this page, enter a name for the provider in the Name text box. For example, test.
8. Select OracleInternetDirectoryAuthenticator from the Type drop-down list.
9. Click OK. The new provider test is listed on the Settings for myrealms page.
10. On this page, click the newly created authentication provider. The Settings for test page is displayed.
11. On this page, select SUFFICIENT as the Control Flag. Click Save to save the settings.
12. Exit the Oracle WebLogic Administration Console.
Configure Oracle Access Manager (OAM) for Oracle Identity Manager (OIM) integration as follows:

On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the example IDM_Home directory for Oracle Identity Manager and Oracle Access Manager. For more information, see Important Notes Before You Begin.

Use the WebLogic Scripting Tool (WLST) interface to add Oracle Access Manager Single Sign-On service instance and required properties as follows:

On UNIX: Run ./wlst.sh on the command line.

On Windows: Run wlst.cmd.

At the WLST command prompt (wls:/offline>), type the following:

connect()

You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

Run the configureOIM WLST Online command to configure Oracle Access Manager for OIM integration.

configureOIM(oimHost = "<OIM_Host>" , oimPort = "<OIM_Port>", oimSecureProtocolEnabled = "false", oimAccessGatePwd = "<Password>", oimCookieDomain = "<cookie_domain>")

"<OIM_Host>" and "<OIM_Port>" parameters in this WLST command refer to the Oracle Identity Manager Managed Server of Oracle Identity Manager when you are using the Oracle Identity Management domain agent and a single Oracle Identity Manager instance OIM. If you set secureProtocol to false, HTTP is used. If you set it to true, HTTPS is used.

Note:
When you run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server at a later stage, you are required to enter values for Password for Access Gate and Domain of Cookie fields on the LDAP Sync and OAM screen in the configuration wizard. You must specify the same oimAccessGatePwd password and oimCookieDomain values.
Similarly, if you wish to use Oracle HTTP Server 10g Webgate for Oracle Access Manager instead of Domain Agent, you must specify the Webgate access password and cookie domain values for oimAccessGatePwd and oimCookieDomain parameters of the configureOIM command. In addition, you must specify the same values for Password for Access Gate and Domain of Cookie fields on the LDAP Sync and OAM screen in the Oracle Identity Manager Configuration Wizard.

For more information, see the LDAP Sync and OAM in the appendix Oracle Identity Manager Configuration Screens that contains descriptions of each screen in the Oracle Identity Manager Configuration Wizard.
Tip:
To verify the configuration of Oracle Access Manager for OIM integration, complete the following steps:
1. Open the oam-config.xml file in a text editor to verify whether the file contains the agent profile entry IdentityManagerAccessGate. The XML file is located in the <DOMAIN_HOME>/config/fmwconfig directory.
2. In the same file, verify whether the OIM Port is listed in the IdentityManagement/ServerConfiguration section.
Run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server. To start the wizard, go to the bin directory under Oracle_IDM2 (your IDM_ORACLE_HOME for Oracle Identity Manager and Oracle Access Manager) and run the following command on the command line:
- On Windows:
  
  config.bat
- On UNIX:
  
  ./config.sh
Use the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager, as described in Configuring OIM Server. While configuring Oracle Identity Manager Server, ensure that you select the Enable Identity Administration Integration with OAM option on the LDAP Sync and OAM screen.

Note that you must enter the same values oimAccessGatePwd password and oimCookieDomain, specified in the configureOIM WLST command, as input to fields Password of Access Gate and Domain of Cookie on the LDAP Sync and OAM screen.

When you choose to enable Identity Administration Integration with OAM using the Oracle Identity Manager Configuration Wizard, the Enable LDAP Sync option for OIM is selected, by default.

Proceed to complete the configuration of Oracle Identity Manager Server. When prompted, enter the OIM administrator's password and the xelsysadm password.
Tip:
To verify the configuration of Oracle Identity Manager, complete the following steps:
1. Check authenticator configuration as follows:
  
  1) Restart the WebLogic Administration Server. Log in to the WebLogic Server Administration Console.
  
  2) Click Security Realms > myrealm > Providers.
  
  3) Verify whether OAM Identity Asserter and OID Authenticator are listed. In addition, click the Users and Groups tab. Verify if OID users are populated.
2. Download the oim-config.xml file and verify the Single Sign-On (SSO) configuration information as follows:
  
  1) Start the Oracle Identity Manager Managed Server.
  
  2) Log in to Oracle Enterprise Manager Fusion Middleware ControlOracle Enterprise Manager Fusion Middleware Control using your WebLogic Server administrator credentials.
  
  3) Click Identity and access > oim > oim(version). Right-click and select System MBean Browser. The System MBean Browser page is displayed.
  
  4) Under Application Defined MBeans, select oracle.iam > Server:oim_server1 > Application: oim > XMLConfig > XMLConfig.SSOConfig > SSOConfig.
  
  OAM's access server information used in OIM is displayed. Validate and verify the information.
Shut down the WebLogic Administration Server, as described in Stopping the Stack.
Log in to My Oracle Support website (http://support.oracle.com), and search for the Single Sign-On Server Patch 9449855. Install this patch, as described in the readme file that is included in the patch.
Restart the Administration Server and the Managed Servers (OIM, SOA, and OAM). For information about stopping the servers and then starting the servers, see Stopping the Stack and Starting the Stack.
On the command line, run the LDAP configuration post-setup script (LDAPConfigPostSetup.bat on Windows, and LDAPConfigPostSetup.sh on UNIX). The files are located in the server/ldap_config_util directory under your IDM_Home (Oracle_IDM2) for Oracle Identity Manager and Oracle Access Manager.

The integration between Oracle Identity Manager and Oracle Access Manager using the out-of-the-box Domain Agent is now complete.

21.7 Verifying the Configuration

After completing the configuration, you can verify the integration between Oracle Identity Manager and Oracle Access Manager as follows:

Access the Oracle Access Manager Administration Console (http://<admin server host>:<admin server port>/oamconsole).

You should be redirected to Oracle Access Manager runtime environment. When you log in as a valid administrator, you must be able to access the console. The credential collector URL should be the URL of the Oracle Access Manager Managed Server. This page should contain links to Forgot Password, Self Register, and Track Registration.
Access the Oracle Identity Manager administration page (http://<Host>: <OIM_Port>/admin/faces/pages/Admin.jspx).

The Oracle Access Manager login page from the Oracle Access Manager Managed Server should be displayed. This page should contain links to Forgot Password, Self Register, and Track Registration.
Log in as xelsysadm.

You should be able to access the Oracle Identity Manager administration page.
Create a new user in the Oracle Identity Manager administration page.

Log off the Oracle Identity Manager administration page and try to log in again using the newly created user name. When you provide valid credentials, you are prompted to reset the password and to set answers to challenge questions during first login. After this successful operation, you are redirected to the requested resource.

21.8 Using Oracle HTTP Server 10g Webgate for Oracle Access Manager 11g

If you wish to use Oracle HTTP Server 10g Webgate for Oracle Access Manager to protect the applications, the ones previously protected by the Domain Agent, you must migrate from the Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager, as described in the chapter Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for OAM.