Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity Management
11g Release 1 (11.1.1)

Part Number E12002-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

18 Configuring Oracle Adaptive Access Manager

This chapter explains how to configure Oracle Adaptive Access Manager (OAAM). It includes the following topics:

18.1 Prerequisites

The following are the prerequisites for installing and configuring Oracle Identity Management 11g Release 1 (11.1.1) products:

  1. Installing Oracle Database, as described in Installing Oracle Database.

  2. Installing Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home.

  3. Creating and loading schemas using Oracle Fusion Middleware Repository Creation Utility (RCU), as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  4. Installing the Oracle Identity Management 11g Release 1 (11.1.1.3.0) suite, as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0). The Oracle Identity Management suite contains Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN).

18.2 Important Notes Before You Begin

Before you start installing and configuring Oracle Identity Management products in any of the scenarios discussed in this chapter, keep the following points in mind:

It is assumed that you are installing Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator on the same machine.

Note:

In this chapter, two IDM_Home directories are mentioned in descriptions and procedures. For example, the first one, Oracle_IDM1 can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, Oracle_IDM2 can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.

However, note that Oracle_IDM1 and Oracle_IDM2 are used as examples in this document. You can specify any name for either of your IDM_Home directories. In addition, you can install the two Oracle Identity Management suites (one containing Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation; another containing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator) in any order on your machine.

If you choose to use the default names, the first installation creates an Oracle_IDM1 directory, and the second installation creates an Oracle_IDM2 directory.

If you have not installed Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, or Oracle Identity Federation on the same machine where you are installing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator, then you will see a single IDM_Home directory, such as Oracle_IDM1, under your MW_HOME directory.

For more information, see Overview and Structure of Oracle Identity Management 11g Installation.

18.3 Installing OAAM

Oracle Adaptive Access Manager (OAAM) is included in the Oracle Identity Management 11g Release 1 (11.1.1) Suite. You can use the Oracle Identity Management 11g Installer to install the Oracle Identity Management Suite. For more information, see Preparing to Install Oracle Identity Management and Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).

18.4 OAAM in a New WebLogic Domain

This topic describes how to configure Oracle Adaptive Access Manager (OAAM) in a new WebLogic administration domain. It includes the following sections:

18.4.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you may install other Oracle Identity Management 11g components, such as Oracle Identity Navigator, Oracle Access Manager, or Oracle Identity Manager at a later time in the same domain.

You can use the Oracle Identity Navigator interface and dashboard to discover and launch the Oracle Adaptive Access Manager console from within Oracle Identity Navigator.

18.4.2 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Managed Servers for Oracle Adaptive Access Manager, depending on the Oracle Adaptive Access Manager Domain Configuration template you choose.

  • Oracle Adaptive Access Manager Console and Oracle Identity Navigator application on the Administration Server.

18.4.3 Dependencies

The configuration in this section depends on the following:

18.4.4 Procedure

Perform the following steps to configure only Oracle Adaptive Access Manager in a new WebLogic domain:

  1. Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.

  4. On the Select Domain Source screen ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2], which is mandatory.

    In addition, you can select Oracle Adaptive Access Manager - Server - 11.1.1.3.0, which is optional. Click Next. The Select Domain Name and Location screen appears.

    Note:

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [oracle_common] option and the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option are also selected, by default.
  5. Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.

  6. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.

  7. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen is displayed.

  8. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Server Schema or the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  9. On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines, and Deployments and Services, and RDBMS Security Store. Click Next.

  10. Optional: Configure the following Administration Server parameters:

    • Name

    • Listen address

    • Listen port

    • SSL listen port

    • SSL enabled or disabled

  11. Optional: Configure Managed Servers, as required.

  12. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  13. Optional: Assign Managed Servers to Clusters, as required.

  14. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
  15. Optional: Assign the Administration Server to a machine.

  16. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  17. Optional: Configure RDBMS Security Store, as required.

  18. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

A new WebLogic domain to support Oracle Adaptive Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

18.5 OAAM in a Domain Containing OAM, OIM, and OIN

This topic describes how to configure Oracle Adaptive Access Manager (OAAM) in an existing Oracle Identity Management domain that contains Oracle Access Manager (OAM), Oracle Identity Manager (OIM), and Oracle Identity Navigator (OIN).

It includes the following sections:

18.5.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you may want to set up integration between Oracle Identity Manager and Oracle Adaptive Access Manager. You may use Oracle Access Manager for Single Sign-On and access management. Oracle Identity Navigator enables you to discover and launch Consoles for these products from within the Oracle Identity Navigator user interface.

18.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Server for Oracle Adaptive Access Manager

  • Oracle Adaptive Access Manager Console on the existing Administration Server

18.5.3 Dependencies

The configuration in this section depends on the following:

18.5.4 Procedure

To configure Oracle Adaptive Access Manager in an existing Oracle Identity Management domain that contains Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator, complete the following steps:

  1. Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Ensure that Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator are configured in a new WebLogic domain, as described in OIM, OAM, and OIN in a New WebLogic Domain.

  3. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  4. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.

  5. On the Select a WebLogic Domain Directory screen, browse to the domain directory that contains Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator. Click Next. The Select Domain Source screen appears.

  6. On the Select Extension Source screen, ensure that the Extend my domain automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2], which is mandatory.

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.

    In addition, you can select Oracle Adaptive Access Manager - Server - 11.1.1.3.0 [Oracle_IDM2], which is optional. Click Next. The Configure JDBC Component Schema screen appears.

    The screen lists the following component schemas:

    • SOA Infrastructure

    • OAAM Admin Schema

    • User Messaging Service

    • OAAM Admin MDS Schema

    • OIM MDS Schema

    • OWSM MDS Schema

    • SOA MDS Schema

    • OIM Schema

  7. On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  8. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes, and Click Next.

  9. Optional: Configure Managed Servers, as required.

  10. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  11. Optional: Assign Managed Servers to Clusters, as required.

  12. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
  13. Optional: Assign the Administration Server to a machine.

  14. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server, such as oaam_server1 (default value).

  15. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator is extended to support Oracle Adaptive Access Manager.

18.6 Starting the Servers

After installing and configuring Oracle Adaptive Access Manager, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Starting the Stack.

Note:

If you are upgrading from Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g, do not start Oracle Adaptive Access Manager Managed Servers until you have performed the Oracle Adaptive Access Manager Middle Tier Upgrade using the Upgrade Assistant tool. For more information, see the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

18.7 Post-Installation Steps

After installing and configuring Oracle Adaptive Access Manager, you must complete the following tasks:

  1. Create Oracle WebLogic Server Users as follows:

    1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

    2. Click on Security Realms, and then click on your security realm.

    3. Click the Users and Groups tab, and then click the Users tab under it.

    4. Create a user, such as user1, in the security realm.

    5. Assign the user user1 to any of the newly created groups with the OAAM prefix.

  2. Set up and back up Oracle Adaptive Access Manager Encryption Keys, as described in the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. Ensure that you have a backup of the Oracle Adaptive Access Manager Encryption Keys; they are required if you want to re-create the Oracle Adaptive Access Manager domain.

  3. Import Policies as follows:

    1. Ensure that you have downloaded the policies.

    2. Log in to the Oracle Adaptive Access Manager Administration (OAAM_ADMIN) using the following URL: http://<host>:<port>/oaam_admin

    3. Click the Policy tab, and then click Import Policies. The default policies are located in the <Oracle_IDM2>/oaam/init directory.

  4. Import Knowledge Based Authentication (KBA) questions as follows:

    1. Log in to the Oracle Adaptive Access Manager Administration (OAAM_ADMIN) using the following URL: http://<host>:<port>/oaam_admin

    2. Click the KBA Questions tab, and then click Import KBA. The default questions are located in the <Oracle_IDM2>/oaam/kba_questions directory. You must load questions for the languages you want to support.

  5. Load Location Data into the Oracle Adaptive Access Manager database as follows:

    1. Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

    2. Make a copy of the sample.bharosa_location.properties file, which is located under the oaam/WEB-INF/classes/ directory. Enter location data details in the location.data properties, as in the following examples:

      location.data.provider=quova

      location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz

      location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz

      location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz

    3. Run the loader on the command line as follows:

      On Windows: loadIPLocationData.bat

      On UNIX: ./loadIPLocationData.sh

18.8 Verifying the OAAM Installation

After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Adaptive Access Manager (OAAM) as follows:

  1. Start the Administration Server to register the newly created managed servers with the domain. To start the Administration Server, run the following command:

    • On Windows: At the command prompt, run the startWebLogic script to start the Administration Server, as in the following example:

      \middleware\user_projects\domains\base_domain\bin\startWebLogic

    • On UNIX: At the $ prompt, run the startWebLogic.sh script, as in the following example:

      sh /MW_HOME/user_projects/domains/base_domain/bin/startWebLogic.sh

  2. Start the Managed Server, as described in Starting the Servers.

    Wait for the Administration Server and the Managed Server to start up.

  3. Log in to the Administration Server for Oracle Adaptive Access Manager using the URL: http://<host>:<port>/oaam_admin

  4. Log in to the Oracle Adaptive Access Manager Server using the URL: https://<host>:<sslport>:oaam_server

18.9 Migrating Policy and Credential Stores

You begin policy and credential store migration by creating the JPS root and then you reassociate the policy and credential store with Oracle Internet Directory.

Migrating policy and credential stores involves the following steps:

  1. Creating JPS Root

  2. Reassociating the Policy and Credential Store

18.9.1 Creating JPS Root

Create the jpsroot in Oracle Internet Directory using the command line ldapadd command as shown in these steps:

  1. Create an ldif file similar to this:

    dn: cn=jpsroot_idm
    cn: jpsroot_idm_idm
    objectclass: top
    objectclass: orclcontainer
    
  2. Use ORACLE_HOME/bin/ldapadd to add these entries to Oracle Internet Directory. For example:

    ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
    welcome1 -c -v -f jps_root.ldif
    

18.9.2 Reassociating the Policy and Credential Store

To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps:

  1. From IDMHOST1, start the wlst shell from the ORACLE_HOME/common/bin directory. For example:

    ./wlst.sh
    
  2. Connect to the WebLogic Administration Server using the wlst connect command shown below.

    connect('AdminUser',"AdminUserPassword",t3://hostname:port')
    

    For example:

    connect("weblogic_idm,"welcome1","t3://idmhost-vip.mycompany.com:7001")
    
  3. Run the reassociateSecurityStore command as shown below:

    Syntax:

    reassociateSecurityStore(domain="domainName",admin="cn=orcladmin",
    password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",
    jpsroot="cn=jpsRootContainer")
    

    For example:

    wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain",
    admin="cn=orcladmin",password="password",
    ldapurl="ldap://oid.mycompany.com:389",servertype="OID",
    jpsroot="cn=jpsroot_idm_idmhost1")
    

    The output for the command is as follows:

    {servertype=OID, jpsroot=cn=jpsroot_idm, admin=cn=orcladmin,
    domain=IDMDomain, ldapurl=ldap://oid.mycompany.com:389, password=password}
    Location changed to domainRuntime tree. This is a read-only tree with
    DomainMBean as the root.
    For more help, use help(domainRuntime)
    
    Starting Policy Store reassociation.
    LDAP server and  ServiceConfigurator setup done.
    
    Schema is seeded into LDAP server
    Data is migrated to LDAP server
    Service in LDAP server after migration has been tested to be available
    Update of jps configuration is done
    Policy Store reassociation done.
    Starting credential Store reassociation
    LDAP server and  ServiceConfigurator setup done.
    Schema is seeded into LDAP server
    Data is migrated to LDAP server
    Service in LDAP server after migration has been tested to be available
    Update of jps configuration is done
    Credential Store reassociation done
    Jps Configuration has been changed. Please restart the server.
    
  4. Restart the Administration Server after the command completes successfully. For information about restarting the Administration Server, see Starting the Servers.

18.10 Getting Started with OAAM After Installation

After installing Oracle Adaptive Access Manager (OAAM), refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.