Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12002-06 |
|
|
View PDF |
This chapter explains how to configure Oracle Adaptive Access Manager (OAAM). It includes the following topics:
The following are the prerequisites for installing and configuring Oracle Identity Management 11g Release 1 (11.1.1) products:
Installing Oracle Database, as described in Installing Oracle Database.
Installing Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home.
Creating and loading schemas using Oracle Fusion Middleware Repository Creation Utility (RCU), as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Installing the Oracle Identity Management 11g Release 1 (11.1.1.3.0) suite, as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0). The Oracle Identity Management suite contains Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN).
Before you start installing and configuring Oracle Identity Management products in any of the scenarios discussed in this chapter, keep the following points in mind:
It is assumed that you are installing Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator on the same machine.
Note:
In this chapter, two IDM_Home directories are mentioned in descriptions and procedures. For example, the first one, Oracle_IDM1 can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, Oracle_IDM2 can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.However, note that Oracle_IDM1 and Oracle_IDM2 are used as examples in this document. You can specify any name for either of your IDM_Home directories. In addition, you can install the two Oracle Identity Management suites (one containing Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation; another containing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator) in any order on your machine.
If you choose to use the default names, the first installation creates an Oracle_IDM1 directory, and the second installation creates an Oracle_IDM2 directory.
If you have not installed Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, or Oracle Identity Federation on the same machine where you are installing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator, then you will see a single IDM_Home directory, such as Oracle_IDM1, under your MW_HOME directory.
For more information, see Overview and Structure of Oracle Identity Management 11g Installation.
Oracle Adaptive Access Manager (OAAM) is included in the Oracle Identity Management 11g Release 1 (11.1.1) Suite. You can use the Oracle Identity Management 11g Installer to install the Oracle Identity Management Suite. For more information, see Preparing to Install Oracle Identity Management and Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
This topic describes how to configure Oracle Adaptive Access Manager (OAAM) in a new WebLogic administration domain. It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you may install other Oracle Identity Management 11g components, such as Oracle Identity Navigator, Oracle Access Manager, or Oracle Identity Manager at a later time in the same domain.
You can use the Oracle Identity Navigator interface and dashboard to discover and launch the Oracle Adaptive Access Manager console from within Oracle Identity Navigator.
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Managed Servers for Oracle Adaptive Access Manager, depending on the Oracle Adaptive Access Manager Domain Configuration template you choose.
Oracle Adaptive Access Manager Console and Oracle Identity Navigator application on the Administration Server.
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity Management 11g software.
Database schema for Oracle Adaptive Access Manager. For more information about schemas specific to Oracle Adaptive Access Manager, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure only Oracle Adaptive Access Manager in a new WebLogic domain:
Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2], which is mandatory.
In addition, you can select Oracle Adaptive Access Manager - Server - 11.1.1.3.0, which is optional. Click Next. The Select Domain Name and Location screen appears.
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [oracle_common] option and the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option are also selected, by default.Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic
. Click Next.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Server Schema or the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines, and Deployments and Services, and RDBMS Security Store. Click Next.
Optional: Configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Adaptive Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
This topic describes how to configure Oracle Adaptive Access Manager (OAAM) in an existing Oracle Identity Management domain that contains Oracle Access Manager (OAM), Oracle Identity Manager (OIM), and Oracle Identity Navigator (OIN).
It includes the following sections:
Perform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you may want to set up integration between Oracle Identity Manager and Oracle Adaptive Access Manager. You may use Oracle Access Manager for Single Sign-On and access management. Oracle Identity Navigator enables you to discover and launch Consoles for these products from within the Oracle Identity Navigator user interface.
Performing the configuration in this section deploys the following:
Managed Server for Oracle Adaptive Access Manager
Oracle Adaptive Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity Management 11g software.
Database schema for Oracle Adaptive Access Manager. For more information about schemas specific to Oracle Adaptive Access Manager, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
To configure Oracle Adaptive Access Manager in an existing Oracle Identity Management domain that contains Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator, complete the following steps:
Ensure that all prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Ensure that Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator are configured in a new WebLogic domain, as described in OIM, OAM, and OIN in a New WebLogic Domain.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the domain directory that contains Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator. Click Next. The Select Domain Source screen appears.
On the Select Extension Source screen, ensure that the Extend my domain automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2], which is mandatory.
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
In addition, you can select Oracle Adaptive Access Manager - Server - 11.1.1.3.0 [Oracle_IDM2], which is optional. Click Next. The Configure JDBC Component Schema screen appears.
The screen lists the following component schemas:
SOA Infrastructure
OAAM Admin Schema
User Messaging Service
OAAM Admin MDS Schema
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
OIM Schema
On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes, and Click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server, such as oaam_server1
(default value).
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Navigator is extended to support Oracle Adaptive Access Manager.
After installing and configuring Oracle Adaptive Access Manager, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Starting the Stack.
Note:
If you are upgrading from Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g, do not start Oracle Adaptive Access Manager Managed Servers until you have performed the Oracle Adaptive Access Manager Middle Tier Upgrade using the Upgrade Assistant tool. For more information, see the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.After installing and configuring Oracle Adaptive Access Manager, you must complete the following tasks:
Create Oracle WebLogic Server Users as follows:
Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.
Click on Security Realms, and then click on your security realm.
Click the Users and Groups tab, and then click the Users tab under it.
Create a user, such as user1
, in the security realm.
Assign the user user1
to any of the newly created groups with the OAAM prefix.
Set up and back up Oracle Adaptive Access Manager Encryption Keys, as described in the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. Ensure that you have a backup of the Oracle Adaptive Access Manager Encryption Keys; they are required if you want to re-create the Oracle Adaptive Access Manager domain.
Import Policies as follows:
Ensure that you have downloaded the policies.
Log in to the Oracle Adaptive Access Manager Administration (OAAM_ADMIN) using the following URL: http://<host>:<port>/oaam_admin
Click the Policy tab, and then click Import Policies. The default policies are located in the <Oracle_IDM2>/oaam/init
directory.
Note:
For more information about policies, see the "Managing Policies, Rules, and Conditions" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.Import Knowledge Based Authentication (KBA) questions as follows:
Log in to the Oracle Adaptive Access Manager Administration (OAAM_ADMIN) using the following URL: http://<host>:<port>/oaam_admin
Click the KBA Questions tab, and then click Import KBA. The default questions are located in the <Oracle_IDM2>/oaam/kba_questions
directory. You must load questions for the languages you want to support.
Load Location Data into the Oracle Adaptive Access Manager database as follows:
Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Make a copy of the sample.bharosa_location.properties
file, which is located under the oaam/WEB-INF/classes/
directory. Enter location data details in the location.data properties, as in the following examples:
location.data.provider=quova
location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz
location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz
location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz
Run the loader on the command line as follows:
On Windows: loadIPLocationData.bat
On UNIX: ./loadIPLocationData.sh
Note:
If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Adaptive Access Manager (OAAM) as follows:
Start the Administration Server to register the newly created managed servers with the domain. To start the Administration Server, run the following command:
On Windows: At the command prompt, run the startWebLogic
script to start the Administration Server, as in the following example:
\middleware\user_projects\domains\base_domain\bin\startWebLogic
On UNIX: At the $ prompt, run the startWebLogic.sh script, as in the following example:
sh /MW_HOME/user_projects/domains/base_domain/bin/startWebLogic.sh
Start the Managed Server, as described in Starting the Servers.
Wait for the Administration Server and the Managed Server to start up.
Log in to the Administration Server for Oracle Adaptive Access Manager using the URL: http://<host>:<port>/oaam_admin
Log in to the Oracle Adaptive Access Manager Server using the URL: https://<host>:<sslport>:oaam_server
You begin policy and credential store migration by creating the JPS root and then you reassociate the policy and credential store with Oracle Internet Directory.
Migrating policy and credential stores involves the following steps:
Create the jpsroot in Oracle Internet Directory using the command line ldapadd
command as shown in these steps:
Create an ldif
file similar to this:
dn: cn=jpsroot_idm cn: jpsroot_idm_idm objectclass: top objectclass: orclcontainer
Use ORACLE_HOME
/bin/ldapadd
to add these entries to Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f jps_root.ldif
To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore
command. Follow these steps:
From IDMHOST1, start the wlst
shell from the ORACLE_HOME
/common/bin
directory. For example:
./wlst.sh
Connect to the WebLogic Administration Server using the wlst connect
command shown below.
connect('AdminUser',"AdminUserPassword",t3://hostname:port')
For example:
connect("weblogic_idm,"welcome1","t3://idmhost-vip.mycompany.com:7001")
Run the reassociateSecurityStore
command as shown below:
Syntax:
reassociateSecurityStore(domain="domainName",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID", jpsroot="cn=jpsRootContainer")
For example:
wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain="IDMDomain",
admin="cn=orcladmin",password="password",
ldapurl="ldap://oid.mycompany.com:389",servertype="OID",
jpsroot="cn=jpsroot_idm_idmhost1")
The output for the command is as follows:
{servertype=OID, jpsroot=cn=jpsroot_idm, admin=cn=orcladmin,
domain=IDMDomain, ldapurl=ldap://oid.mycompany.com:389, password=password}
Location changed to domainRuntime tree. This is a read-only tree with
DomainMBean as the root.
For more help, use help(domainRuntime)
Starting Policy Store reassociation.
LDAP server and ServiceConfigurator setup done.
Schema is seeded into LDAP server
Data is migrated to LDAP server
Service in LDAP server after migration has been tested to be available
Update of jps configuration is done
Policy Store reassociation done.
Starting credential Store reassociation
LDAP server and ServiceConfigurator setup done.
Schema is seeded into LDAP server
Data is migrated to LDAP server
Service in LDAP server after migration has been tested to be available
Update of jps configuration is done
Credential Store reassociation done
Jps Configuration has been changed. Please restart the server.
Restart the Administration Server after the command completes successfully. For information about restarting the Administration Server, see Starting the Servers.
After installing Oracle Adaptive Access Manager (OAAM), refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.