Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity Management
11g Release 1 (11.1.1)

Part Number E12002-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

14 Oracle Identity Management Suite-Level Installation Scenarios

This chapter describes how to implement some of the most common and important Oracle Identity Management suite-level installation scenarios.

It discusses the following scenarios:

14.1 General Prerequisites

You must complete the following prerequisites before configuring Oracle Identity Management 11g Release 1 (11.1.1) products in any scenario:

  1. Installing Oracle Database, as described in Installing Oracle Database.

  2. Installing Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home.

  3. For Oracle Identity Manager users only: Installing Oracle SOA Suite 11g Release 1 (11.1.1.2.0) and patching it to 11.1.1.3.0, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only).

  4. Creating and loading schemas using Oracle Fusion Middleware Repository Creation Utility (RCU), as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  5. Installing the Oracle Identity Management 11g Release 1 (11.1.1.3.0) suite, as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0). The Oracle Identity Management suite contains Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN).

14.2 Important Notes Before You Begin

Before you start installing and configuring Oracle Identity Management products in any of the scenarios discussed in this chapter, keep the following points in mind:

14.3 Simultaneous configuration of OIN, OAPM, OAAM, OAM, and OIM

This section discusses how to configure Oracle Identity Navigator (OIN), Oracle Authorization Policy Manager (OAPM), Oracle Access Manager (OAM), and Oracle Identity Manager (OIM).

It includes the following sections:

14.3.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator

  3. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  4. Set up LDAP sync for Oracle Identity Manager

  5. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.3.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager:

14.3.3 Scenario 1: OIM with LDAP Sync, OAM with LDAP, OAAM, OAPM, and OIN in a New WebLogic Domain

This section discusses the following topics:

14.3.3.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to configure Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN) simultaneously in a new WebLogic administration domain. Then you can configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP Provider. You can also set up LDAP Sync for Oracle Identity Manager.

14.3.3.2 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • A Managed Server each for Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Identity Navigator and Oracle Authorization Policy Manager applications on the Administration Server

  • Administration Consoles for the Oracle Access Manager and Oracle Adaptive Access Manager on the Administration Server

14.3.3.3 Dependencies

The installation and configuration in this section depends on the following:

14.3.3.4 Procedure

To configure Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Navigator, and Oracle Authorization Policy Manager in a new WebLogic domain, complete the following steps:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (On UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select Create a new WebLogic domain, and click Next. The Select Domain Source screen appears.

  4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

  5. Create a WebLogic administration domain, which supports the following products:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]

    • Optional: Oracle Adaptive Access Manager Server - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select any the Oracle Identity Management products, the Oracle JRF 11.1.1.0 [oracle_common] option is also selected automatically.

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option, and the Oracle Enterprise Manager - 11.1.1.0 [oracle_common] option are also selected.

    Click Next. The Specify Domain Name and Location screen appears

  6. Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.

    The Configure JDBC Component Schema screen displays a list of the following component schemas:

    • SOA Infrastructure

    • User Messaging Service

    • OAAM Server Schema

    • OIM MDS Schema

    • OWSM MDS Schema

    • OAAM Admin Server

    • OAAM Admin MDS Schema

    • APM MDS Schema

    • APM Schema

    • OIM Schema

    • SOA MDS Schema

    • OAM Infrastructure

  9. On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, you can view the summary of your configuration for deployments, application, and service. Review the domain configuration, and click Create to start creating the domain.

    A WebLogic domain to support Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  12. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  13. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=acme,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  14. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  15. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  16. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  17. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  18. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

14.3.4 Scenario 2: OIM with LDAP Sync, OAM with LDAP, OAAM, OAPM, and OIN in an Existing Domain Containing OID and OVD

This section discusses the following topics:

14.3.4.1 Appropriate Deployment Environment

The configuration described in this topic is appropriate for environments that have the following conditions:

  • You want to add Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator to an existing Oracle Identity Management domain that contains Oracle Internet Directory and Oracle Virtual Directory.

  • You want to configure all Oracle Identity Management products, including 11.1.1.3.0, in the same WebLogic administration domain.

  • You want a single WebLogic Administration Server to manage all of the Oracle Identity Management 11g products.

14.3.4.2 Components Deployed

Performing the configuration in this section deploys the following components:

  • A Managed Server each for Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager

  • Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager applications on Managed Servers

  • Administration Consoles for Oracle Access Manager and Oracle Adaptive Access Manager on the existing Administration Server

  • Oracle Identity Navigator application and Oracle Authorization Policy Manager on the existing Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.3.4.3 Dependencies

The configuration in this section depends on the following:

14.3.4.4 Procedure

To extend an existing Oracle Identity Management 11.1.1.3.0 domain (the domain with Oracle Internet Directory and Oracle Virtual Directory) to support Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator, complete the following steps:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the directory that contains the domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next.

  13. On the Select Domain Source screen, ensure that the Extend my domain to automatically to support the following added products: is selected.

  14. Select the following options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1] option, and the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option are also selected.
  15. Click Next. The Configure JDBC Component Schema appears.

    The screen displays a list of the following component schemas:

    • SOA Infrastructure

    • User Messaging Service

    • OAAM Admin Schema

    • OAAM Admin MDS Schema

    • APM Schema

    • APM MDS Schema

    • OIM MDS Schema

    • OWSM MDS Schema

    • SOA MDS Schema

    • OAM Infrastructure

    • OIM Schema

  16. On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  17. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  18. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Internet Directory and Oracle Virtual Directory is configured to support Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.

  19. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  20. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=acme,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=acme,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  21. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  22. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  23. Restart the Administration Server, as described in Restarting Servers.

  24. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  25. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  26. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

14.4 OIM with LDAP Sync, and OAM

This section discusses how to configure Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) in different scenarios:

It includes the following sections:

14.4.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Identity Manager and Oracle Access Manager

  3. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  4. Set up LDAP sync for Oracle Identity Manager

  5. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.4.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager:

14.4.3 Scenario 1: OIM with LDAP Sync, and OAM in a New WebLogic Domain

This section discusses the following topics:

14.4.3.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you may set up integration between Oracle Identity Manager and Oracle Access Manager (OAM) at a later time. You can set up this integration, as described in Integration Between OIM and OAM.

14.4.3.2 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Managed Servers for Oracle Identity Manager and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console on the Administration Server

14.4.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation of the Oracle Identity Management 11g software.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.4.3.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in a new WebLogic domain:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script on UNIX (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, RDBMS Security Store, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store, as required.

    • Optional: Configure JMS File Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Identity Manager and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  12. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  13. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can use one of the following options:
      • You can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

      • The admin can create it using Oracle Directory Services Manager (ODSM)

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  14. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  15. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  16. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  17. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  18. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.4.4 Scenario 2: OIM with LDAP Sync, and OAM, in an Existing Domain Containing OID and OVD

This section discusses the following topics:

14.4.4.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you have installed and configured Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD). At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager (OAM), as described in Integration Between OIM and OAM.

14.4.4.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console on the existing Administration Server

14.4.4.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.4.4.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in an existing Oracle Identity Management 11.1.1.3.0 domain that contains Oracle Internet Directory and Oracle Virtual Directory:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  13. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  15. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  16. On the Select Optional Configuration screen, you can configure JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Select a JMS Distributed Destination Type, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager and Oracle Access Manager.

  18. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  19. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can use one of the following options:
      • You can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

      • The admin can create it using Oracle Directory Services Manager (ODSM)

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  20. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  21. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  22. Restart the Administration Server, as described in Restarting Servers.

  23. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  24. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  25. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.4.5 Scenario 3: OIM with LDAP Sync, and OAM, in a Domain Containing OAAM, OAPM, and OIN

This section discusses the following topics:

14.4.5.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where other Oracle Identity Management products, such as Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN) are installed and configured.

At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.

You can use Oracle Identity Navigator to discover and launch Consoles for the Oracle Identity Management products from within the Oracle Identity Navigator user interface.

14.4.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console on the existing Administration Server

14.4.5.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.4.5.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in an existing Oracle Identity Management domain that contains Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] and Oracle JRF - 11.1.1.0 [oracle_common].
    • Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Schema, the APM Schema, the APM MDS Schema, or the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Authorization Policy Manager and Oracle Adaptive Access Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  13. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  14. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Authorization Policy Manager and Oracle Adaptive Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  15. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  16. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  17. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  18. On the Select Optional Configuration screen, you can configure JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Select a JMS Distributed Destination Type, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  19. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Authorization Policy Manager and Oracle Adaptive Access Manager, and Oracle Identity Navigator is extended to support Oracle Identity Manager and Oracle Access Manager.

  20. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  21. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  22. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  23. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  24. Restart the Administration Server, as described in Restarting Servers.

  25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.5 OIM with LDAP Sync, OAM, and OAAM

This topic describes how to configure Oracle Identity Manager (OIM) with LDAP Synchronization, Oracle Access Manager (OAM), and Oracle Adaptive Access Manager (OAAM) in a new or existing WebLogic domain.

It includes the following sections:

14.5.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager

  3. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  4. Set up LDAP sync for Oracle Identity Manager

  5. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.5.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization, Oracle Access Manager, and Oracle Adaptive Access Manager:

14.5.3 Scenario 1: Configuration in a New WebLogic Domain

This section discusses the following topics:

14.5.3.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you may set up integration between Oracle Identity Manager and Oracle Access Manager (OAM) at a later time, as described in Integration Between OIM and OAM.

You may add other Oracle Identity Management products, such as Oracle Authorization Policy Manager and Oracle Identity Navigator at a later time in the same domain.

14.5.3.2 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the Administration Server

14.5.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.5.3.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in a new WebLogic domain:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script on UNIX (<IDM_Home>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle JRF - 11.1.1.0 [oracle_common] and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

      When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2} option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Schema, the OAAM Admin MDS Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, RDBMS Security Store, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Select JMS Distributed Destination Type, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store, as required.

    • Optional: Configure JMS File Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  13. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  14. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  15. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  16. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  17. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  18. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.5.4 Scenario 2: Configuration in a Domain Containing OID and OVD

This section discusses the following topics:

14.5.4.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you have installed and configured Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD). At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.

14.5.4.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server

14.5.4.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.5.4.4 Procedure

Perform the following steps to configure Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager with LDAP Synchronization in an existing Oracle Identity Management 11.1.1.3.0 domain that contains Oracle Internet Directory and Oracle Virtual Directory:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  13. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

      When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2} option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.

  14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  15. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  16. On the Select Optional Configuration screen, you can configure JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Select a JMS Distributed Destination Type, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager.

  18. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  19. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  20. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  21. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  22. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  23. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  24. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.5.5 Scenario 3: Configuration in a Domain Containing OAPM and OIN

This section discusses the following topics:

14.5.5.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) with LDAP Synchronization, in an environment where other Oracle Identity Management products, such as Oracle Authorization Policy Manager (OAPM) and Oracle Identity Navigator (OIN) are installed and configured.

At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.

You can use Oracle Identity Navigator to discover and launch Consoles for the Oracle Identity Management products from within the Oracle Identity Navigator user interface.

14.5.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server

14.5.5.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.5.5.4 Procedure

Perform the following steps to configure Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager with LDAP Synchronization, in an existing Oracle Identity Management domain that contains Oracle Authorization Policy Manager and Oracle Identity Navigator:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    • Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following option is also selected, by default: Oracle JRF - 11.1.1.0 [oracle_common].
    • Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Authorization Policy Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  13. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  14. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Authorization Policy Manager and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  15. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
    • Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

      When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2} option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.

  16. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  17. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  18. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  19. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  20. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Authorization Policy Manager and Oracle Identity Navigator is extended to support Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager.

  21. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  22. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  23. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  24. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  25. Restart the Administration Server, as described in Restarting Servers.

  26. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  27. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  28. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.6 OIM with LDAP Sync in an Existing OAM Installation with LDAP Configured

This section describes how to configure Oracle Identity Manager (OIM) with LDAP Sync to an existing Oracle Access Manager installation, which has Oracle Internet Directory (OID) configured as the LDAP provider.

It contains the following sections:

14.6.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Access Manager

  3. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  4. Configure Oracle Identity Manager

  5. Set up LDAP sync for Oracle Identity Manager

  6. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.6.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager installation, which has LDAP configured:

14.6.3 Scenario 1: Configuration in a New WebLogic Domain

This section discusses the following topics:

14.6.3.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Access Manager is configured in a new WebLogic domain, which is extended to support Oracle Identity Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.

14.6.3.2 Components Deployed

Performing this configuration deploys the following:

  • A WebLogic Administration Server

  • Managed Servers for Oracle Access Manager and Oracle Identity Manager

  • Oracle Access Manager Console on the Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.6.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.6.3.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager installation, which has LDAP configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2], and click Next. The Select Domain Name and Location screen appears.

    Note:

    When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [Oracle_Common] option is also selected, by default.
  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Select JMS Distributed Destination Type, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  13. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  14. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  15. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  16. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager. Click Next. The Select Extension Source screen is displayed.

  17. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
  18. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  19. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  20. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  21. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  22. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Access Manager is extended to support Oracle Identity Manager.

  23. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  24. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.6.4 Scenario 2: Configuration in a Domain Containing OID and OVD

This section discusses the following topics:

14.6.4.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Access Manager is configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Identity Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.

14.6.4.2 Components Deployed

Performing this configuration deploys the following:

  • Managed Servers for Oracle Access Manager and Oracle Identity Manager

  • Oracle Access Manager Console on the existing Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.6.4.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.6.4.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager installation, which has LDAP configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  13. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  15. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  16. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Access Manager.

  18. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  19. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  20. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  21. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  22. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  23. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
  24. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  25. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  26. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  27. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  28. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Access Manager is extended to support Oracle Identity Manager.

  29. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  30. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  31. Restart the Administration Server, as described in Restarting Servers.

  32. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  33. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  34. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.6.5 Scenario 3: Configuration in a Domain Containing OAAM, OAPM, and OIN

This section discusses the following topics:

14.6.5.1 Appropriate Deployment Environment

Perform the configuration in this topic if you want to install Oracle Access Manager (OAM) in an existing Oracle Identity Management domain that contains Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN). You can configure Oracle Access Manager to use Oracle Internet Directory (OID) as the LDAP provider. Then you can add Oracle Identity Manager (OIM) to the same domain and set up LDAP Sync.

At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.

You can use Oracle Identity Navigator to discover and launch Consoles for the Oracle Identity Management products from within the Oracle Identity Navigator user interface.

14.6.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console on the existing Administration Server

14.6.5.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.6.5.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Sync to an existing Oracle Access Manager installation, which has LDAP configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    • Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle JRF - 11.1.1.0 [oracle_common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2].
    • Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  13. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  14. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  15. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  16. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  17. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  18. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  19. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, and Deployments and Services. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  20. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is extended to support Oracle Access Manager.

  21. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  22. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  23. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  24. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  25. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  26. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1]
  27. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  28. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  29. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the OAAM Admin Schema, the User Messaging Service Schema, the OIM Schema, the OWSM MDS Schema, the OIM MDS Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  30. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  31. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is extended to support Oracle Identity Manager.

  32. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  33. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  34. Restart the Administration Server, as described in Restarting Servers.

  35. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  36. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  37. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.7 OIM with LDAP Sync in an Existing OAM and OAAM Installation with LDAP Configured

This section describes how to configure Oracle Identity Manager (OIM) with LDAP Sync to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has Oracle Internet Directory (OID) configured as the LDAP provider.

It contains the following sections:

14.7.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Access Manager and Oracle Adaptive Access Manager

  3. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  4. Configure Oracle Identity Manager

  5. Set up LDAP sync for Oracle Identity Manager

  6. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.7.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:

14.7.3 Scenario 1: Configuration in a New WebLogic Domain

This section discusses the following topics:

14.7.3.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Access Manager and Oracle Adaptive Access Manager are configured in a new WebLogic domain, which is extended to support Oracle Identity Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.

14.7.3.2 Components Deployed

Performing this configuration deploys the following:

  • A WebLogic Administration Server

  • Managed Servers for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.7.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.7.3.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script on UNIX (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] and Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] options.

    Note:

    When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [Oracle_Common] option is also selected, by default.

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM1] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common] and Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, or the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Target deployments and services to servers or clusters.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Adaptive Access Manager and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  13. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  14. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  15. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  16. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Adaptive Access Manager and Oracle Access Manager. Click Next. The Select Extension Source screen is displayed.

  17. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
  18. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  19. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  20. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  21. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  22. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Adaptive Access Manager and Oracle Access Manager is extended to support Oracle Identity Manager.

  23. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  24. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  25. Restart the Administration Server, as described in Restarting Servers.

  26. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  27. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  28. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.7.4 Scenario 2: Configuration in a Domain Containing OID and OVD

This section discusses the following topics:

14.7.4.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Access Manager and Oracle Adaptive Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Identity Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.

14.7.4.2 Components Deployed

Performing this configuration deploys the following:

  • Managed Servers for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.7.4.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.7.4.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  13. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
  14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  15. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, or the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  16. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Access Manager and Oracle Adaptive Access Manager.

  18. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  19. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  20. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  21. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  22. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  23. On the Select Extension Source screen, select the following domain configuration options:

    • Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1] and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].
  24. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  25. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  26. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  27. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  28. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Identity Manager.

  29. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  30. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  31. Restart the Administration Server, as described in Restarting Servers.

  32. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  33. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  34. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.7.5 Scenario 3: Configuration in a Domain Containing OAPM, and OIN

This section discusses the following topics:

14.7.5.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Access Manager and Oracle Adaptive Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager and Oracle Identity Navigator. This domain is extended to support Oracle Identity Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.

14.7.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server

14.7.5.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.7.5.4 Procedure

Perform the following steps to configure Oracle Identity Manager with LDAP Sync to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    • Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

      Note:

      When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.
    • Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Authorization Policy Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  13. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  14. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  15. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Enterprise Manager - 11.1.1.0 [oracle_common] option and the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option are also selected, by default.
  16. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  17. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  18. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  19. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, and Deployments and Services. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  20. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Authorization Policy Manager and Oracle Identity Navigator is extended to support Oracle Access Manager and Oracle Adaptive Access Manager.

  21. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  22. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  23. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  24. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  25. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  26. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1]
  27. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  28. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  29. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the OAAM Admin Schema, the User Messaging Service Schema, the OIM Schema, the OWSM MDS Schema, the OIM MDS Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  30. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  31. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is extended to support Oracle Identity Manager.

  32. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  33. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  34. Restart the Administration Server, as described in Restarting Servers.

  35. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  36. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  37. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.8 OAM in an Existing OIM with LDAP Sync

This section describes how to add Oracle Access Manager to an existing Oracle Identity Manager (OIM) installation, which has LDAP Sync configured. It also describes how to configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP provider.

It contains the following sections:

14.8.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Identity Manager

  3. Set up LDAP Sync for Oracle Identity Manager

  4. Configure Oracle Access Manager

  5. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  6. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.8.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:

14.8.3 Scenario 1: Configuration in a New WebLogic Domain

This section discusses the following topics:

14.8.3.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Identity Manager is configured in a new WebLogic domain, which is extended to support Oracle Access Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.8.3.2 Components Deployed

Performing this configuration deploys the following:

  • A WebLogic Administration Server

  • Managed Servers for Oracle Identity Manager and Oracle Access Manager

  • Oracle Access Manager Console on the Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.8.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.8.3.4 Procedure

Perform the following steps to configure Oracle Access Manager to an existing Oracle Identity Manager installation with LDAP Sync:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script on UNIX (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2].

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default:

    Oracle JRF 11.1.1.0 [Oracle_Common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1].

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Target deployments and services to servers or clusters.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Identity Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  13. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  14. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  15. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  16. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager. Click Next. The Select Extension Source screen is displayed.

  17. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  18. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  19. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  20. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  21. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  22. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager is extended to support Oracle Access Manager.

  23. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  24. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.8.4 Scenario 2: Configuration in a Domain Containing OID and OVD

This section discusses the following topics:

14.8.4.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Identity Manager is configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Access Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.8.4.2 Components Deployed

Performing this configuration deploys the following:

  • Managed Servers for Oracle Access Manager and Oracle Identity Manager

  • Oracle Access Manager Console on the existing Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.8.4.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.8.4.4 Procedure

Perform the following steps to configure Oracle Access Manager to an existing Oracle Identity Manager installation, which has LDAP Sync set up:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  13. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option and the Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1] option are also selected, by default.
  14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  15. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  16. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager.

  18. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  19. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  20. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  21. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  22. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Internet Directory, and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  23. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  24. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  25. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  26. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  27. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  28. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Access Manager.

  29. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  30. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  31. Restart the Administration Server, as described in Restarting Servers.

  32. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  33. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  34. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.8.5 Scenario 3: Configuration in a Domain Containing OAPM, and OIN

This section discusses the following topics:

14.8.5.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Identity Manager is configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator. This domain is extended to support Oracle Access Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.8.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console on the existing Administration Server

14.8.5.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.8.5.4 Procedure

Perform the following steps to configure Oracle Access Manager in an existing Oracle Identity Manager with LDAP Sync installation:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Authorization Policy Manager, Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  13. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  14. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  15. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  16. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  17. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

  18. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  19. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  20. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAM Infrastructure Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  21. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  22. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator is extended to support Oracle Access Manager.

  23. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  24. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.9 OAAM in an Existing OIM with LDAP Sync and OAAM

This section describes how to add Oracle Adaptive Access Manager to an existing Oracle Access Manager and Oracle Identity Manager (OIM) installation, which has LDAP Sync configured. It also describes how to configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP provider.

It contains the following sections:

14.9.1 Overview

In this section, you perform the following tasks:

  1. Install and configure Oracle Internet Directory and Oracle Virtual Directory

  2. Install and configure Oracle Identity Manager and Oracle Access Manager

  3. Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider

  4. Set up LDAP Sync for Oracle Identity Manager

  5. Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager

14.9.2 Prerequisites

The following lists the prerequisites for installing and configuring Oracle Adaptive Access Manager to an existing Oracle Access Manager Oracle Identity Manager installation with LDAP sync:

14.9.3 Scenario 1: Configuration in a New WebLogic Domain

This section discusses the following topics:

14.9.3.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Identity Manager and Oracle Access Manager are configured in a new WebLogic domain, which is extended to support Oracle Adaptive Access Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.9.3.2 Components Deployed

Performing this configuration deploys the following:

  • A WebLogic Administration Server

  • Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.9.3.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.9.3.4 Procedure

Perform the following steps to configure Oracle Adaptive Access Manager to an existing Oracle Access Manager and Oracle Identity Manager installation with LDAP Sync:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script on UNIX (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2].

    Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2].

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default:

    Oracle JRF 11.1.1.0 [Oracle_Common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1].

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, the OAM Infrastructure Schema, or the OIM Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Target deployments and services to servers or clusters.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

    A new WebLogic domain to support Oracle Identity Manager and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  13. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  14. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  15. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  16. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  17. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  18. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager and Oracle Access Manager. Click Next. The Select Extension Source screen is displayed.

  19. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
  20. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  21. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  22. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  23. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager and Oracle Access Manager is extended to support Oracle Adaptive Access Manager.

  24. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  25. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  26. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.9.4 Scenario 2: Configuration in a Domain Containing OID and OVD

This section discusses the following topics:

14.9.4.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Identity Manager and Oracle Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Adaptive Access Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.9.4.2 Components Deployed

Performing this configuration deploys the following:

  • Managed Servers for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

14.9.4.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.9.4.4 Procedure

Perform the following steps to configure Oracle Adaptive Access Manager in an existing Oracle Identity Management installation, which has Oracle Internet Directory, Oracle Access Manager, Oracle Identity Manager, and Oracle Virtual Directory configured:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM1>/bin/config.sh on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat to start the wizard.

  3. On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.

  4. Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.

  5. Follow the wizard, provide the necessary input, and configure the domain.

    A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

  6. Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.

  7. Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

  8. Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2, is created under the Middleware Home directory.

  9. Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.

  10. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  11. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  12. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  13. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option, and the Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1] option are also selected, by default.
  14. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.

  15. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OAM Infrastructure Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  16. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  17. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager and Oracle Access Manager.

  18. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  19. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  20. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  21. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  22. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  23. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  24. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Internet Directory, Oracle Access Manager, and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.

  25. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
  26. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  27. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  28. On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  29. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  30. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Access Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Adaptive Access Manager.

  31. Restart the Administration Server, as described in Restarting Servers.

  32. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  33. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  34. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).

14.9.5 Scenario 3: Configuration in a Domain Containing OAPM, and OIN

This section discusses the following topics:

14.9.5.1 Appropriate Deployment Environment

Perform configuration in this section for Oracle Identity Management environments that have the following conditions:

  • Oracle Internet Directory, Oracle Virtual Directory, Oracle Adaptive Access Manager, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.

  • Oracle Identity Manager and Oracle Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager, and Oracle Identity Navigator. This domain is extended to support Oracle Adaptive Access Manager at a later time.

  • Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.

14.9.5.2 Components Deployed

Performing the configuration in this section deploys the following:

  • Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager

  • Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server

  • Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server

14.9.5.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server.

  • Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.

  • Installation of the Oracle Identity Management 11g software.

  • Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).

  • Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).

14.9.5.4 Procedure

Perform the following steps to configure Oracle Adaptive Access Manager in an existing Oracle Identity Management installation, which has Oracle Identity Manager with LDAP Sync, Oracle Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator:

  1. Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.

  2. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  3. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.

  4. On the Select Domain Source screen, select the following domain configuration options:

    Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]

    Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]

    Note:

    When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.

    When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1]

  5. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 160_17_R28.0.0-679 and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.

  9. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OAM Infrastructure Schema, the OIM MDS Schema, the OIM Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  10. On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.

    • Optional: Configure Administration Server, as required.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

    • Optional: Configure RDBMS Security Store, as required.

  11. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.

    A new WebLogic domain to support Oracle Authorization Policy Manager, Oracle Identity Manager, Oracle Access Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory, by default.

  12. Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.

  13. Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.

  14. Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.

  15. Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore WLST command:

    1. On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.

    2. Launch the WebLogic Scripting Tool (WLST) interface as follows:

      On UNIX: Run ./wlst.sh on the command line.

      On Windows: Run wlst.cmd.

      At the WLST command prompt (wls:/offline>), type the following:

      connect()

      You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

      Run the createUserIdentityStore WLST command, as in the following example:

      createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com",ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")

      Note:

      Users that are members of the group specified in the roleSecAdmin attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase attribute. If the group is not available, you can specify the user name, such as orcladmin, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.

    Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  16. Run the <Oracle_IDM2>/common/bin/config.sh script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  17. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

  18. On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.

  19. On the Select Extension Source screen, select the following domain configuration options:

    Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]

  20. After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.

  21. On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.

  22. On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAM Infrastructure Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

  23. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.

    • Optional: Configure Managed Servers, as required.

    • Optional: Configure Clusters, as required.

      For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

    • Optional: Assign Managed Servers to Clusters, as required.

    • Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

      Tip:

      Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
    • Optional: Assign the Administration Server to a machine.

    • Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

    • Optional: Configure JMS File Store, as required.

  24. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

    Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Access Manager, and Oracle Identity Navigator is extended to support Oracle Adaptive Access Manager.

  25. Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

  26. Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.

  27. Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.

Note:

If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).