Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12002-06 |
|
|
View PDF |
This chapter describes how to implement some of the most common and important Oracle Identity Management suite-level installation scenarios.
It discusses the following scenarios:
OIM with LDAP Sync in an Existing OAM Installation with LDAP Configured
OIM with LDAP Sync in an Existing OAM and OAAM Installation with LDAP Configured
You must complete the following prerequisites before configuring Oracle Identity Management 11g Release 1 (11.1.1) products in any scenario:
Installing Oracle Database, as described in Installing Oracle Database.
Installing Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home.
For Oracle Identity Manager users only: Installing Oracle SOA Suite 11g Release 1 (11.1.1.2.0) and patching it to 11.1.1.3.0, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only).
Creating and loading schemas using Oracle Fusion Middleware Repository Creation Utility (RCU), as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Installing the Oracle Identity Management 11g Release 1 (11.1.1.3.0) suite, as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0). The Oracle Identity Management suite contains Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN).
Before you start installing and configuring Oracle Identity Management products in any of the scenarios discussed in this chapter, keep the following points in mind:
It is assumed that you are installing Oracle Internet Directory, Oracle Virtual Directory, Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Navigator, and Oracle SOA Suite on the same machine.
Note:
In this chapter, two IDM_Home directories are mentioned in descriptions and procedures. For example, the first one, Oracle_IDM1 can be the IDM_Home directory for Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation. The second one, Oracle_IDM2 can be the IDM_Home directory for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.However, note that Oracle_IDM1 and Oracle_IDM2 are used as examples in this document. You can specify any name for either of your IDM_Home directories. In addition, you can install the two Oracle Identity Management suites (one containing Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation; another containing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator) in any order on your machine.
If you choose to use the default names, the first installation creates an Oracle_IDM1 directory, and the second installation creates an Oracle_IDM2 directory.
If you have not installed Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, or Oracle Identity Federation on the same machine where you are installing Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator, then you will see a single IDM_Home directory, such as Oracle_IDM1, under your MW_HOME directory.
For more information, see Overview and Structure of Oracle Identity Management 11g Installation.
By performing the domain configuration procedures described in this chapter, you can create Managed Servers on a local machine (the machine on which the Administration Server is running). However, you can create and start Managed Servers for Oracle Identity Management components on a remote machine. For more information, see the "Creating and Starting a Managed Server on a Remote Machine" topic in the guide Oracle Fusion Middleware Creating Templates and Domains Using the Pack and Unpack Commands.
For Oracle Identity Manager users: You must use the Oracle Identity Manager Configuration Wizard to configure only Oracle Identity Manager Server, Oracle Identity Manager Design Console (on Windows only), and Oracle Identity Manager Remote Manager.
You must complete this additional configuration for Oracle Identity Manager components after configuring Oracle Identity Manager in a new or existing WebLogic administration domain. For more information, see the chapter Configuring Oracle Identity Manager.
If you are configuring Oracle Identity Manager Server, you must run the Oracle Identity Manager configuration wizard on the machine where the Administration Server is running. For configuring the Server, you can run the wizard only once during the initial setup of the Server. After the successful setup of Oracle Identity Manager Server, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.
If you are configuring only Design Console or Remote Manager, you can run the Oracle Identity Manager Configuration Wizard on the machine where Design Console or Remote Manager is being configured. Note that you can run the Oracle Identity Manager Configuration Wizard to configure Design Console or Remote Manager as and when you need to configure them on new machines.
Note that Oracle Identity Manager requires Oracle SOA Suite 11g (11.1.1.3.0), which should be exclusive to Oracle Identity Management. You must install Oracle SOA Suite before configuring Oracle Identity Manager. If you are setting up integration between Oracle Identity Manager and Oracle Access Manager, ensure that Oracle Identity Manager and Oracle SOA Suite are configured in the same domain.
This section discusses how to configure Oracle Identity Navigator (OIN), Oracle Authorization Policy Manager (OAPM), Oracle Access Manager (OAM), and Oracle Identity Manager (OIM).
It includes the following sections:
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Set up LDAP sync for Oracle Identity Manager
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform the configuration in this topic if you want to configure Oracle Identity Manager (OIM), Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN) simultaneously in a new WebLogic administration domain. Then you can configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP Provider. You can also set up LDAP Sync for Oracle Identity Manager.
Performing the configuration in this section deploys the following:
WebLogic Administration Server
A Managed Server each for Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Identity Navigator and Oracle Authorization Policy Manager applications on the Administration Server
Administration Consoles for the Oracle Access Manager and Oracle Adaptive Access Manager on the Administration Server
The installation and configuration in this section depends on the following:
Oracle WebLogic Server
Installation of Oracle Identity Management Suite, as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0)
Oracle Database
Oracle SOA 11g Suite
JDK (either Oracle WebLogic JRockit JDK or Sun JDK 1.6.0)
Database schemas for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Authorization Policy Manager. For more information about schemas specific to each product, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
To configure Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Navigator, and Oracle Authorization Policy Manager in a new WebLogic domain, complete the following steps:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (On UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select Create a new WebLogic domain, and click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Create a WebLogic administration domain, which supports the following products:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
Optional: Oracle Adaptive Access Manager Server - 11.1.1.3.0 [Oracle_IDM2]
Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select any the Oracle Identity Management products, the Oracle JRF 11.1.1.0 [oracle_common] option is also selected automatically.When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option, and the Oracle Enterprise Manager - 11.1.1.0 [oracle_common] option are also selected.
Click Next. The Specify Domain Name and Location screen appears
Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.
The Configure JDBC Component Schema screen displays a list of the following component schemas:
SOA Infrastructure
User Messaging Service
OAAM Server Schema
OIM MDS Schema
OWSM MDS Schema
OAAM Admin Server
OAAM Admin MDS Schema
APM MDS Schema
APM Schema
OIM Schema
SOA MDS Schema
OAM Infrastructure
On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, you can view the summary of your configuration for deployments, application, and service. Review the domain configuration, and click Create to start creating the domain.
A WebLogic domain to support Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=acme,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
This section discusses the following topics:
The configuration described in this topic is appropriate for environments that have the following conditions:
You want to add Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator to an existing Oracle Identity Management domain that contains Oracle Internet Directory and Oracle Virtual Directory.
You want to configure all Oracle Identity Management products, including 11.1.1.3.0, in the same WebLogic administration domain.
You want a single WebLogic Administration Server to manage all of the Oracle Identity Management 11g products.
Performing the configuration in this section deploys the following components:
A Managed Server each for Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager
Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager applications on Managed Servers
Administration Consoles for Oracle Access Manager and Oracle Adaptive Access Manager on the existing Administration Server
Oracle Identity Navigator application and Oracle Authorization Policy Manager on the existing Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server
Installation of Oracle Identity Management Suite, as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0)
Oracle Database
Oracle SOA 11g Suite
JDK (either Oracle WebLogic JRockit JDK or Sun JDK 1.6.0)
Database schemas for Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Authorization Policy Manager. For more information about schemas specific to each product, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
To extend an existing Oracle Identity Management 11.1.1.3.0 domain (the domain with Oracle Internet Directory and Oracle Virtual Directory) to support Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator, complete the following steps:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the directory that contains the domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next.
On the Select Domain Source screen, ensure that the Extend my domain to automatically to support the following added products: is selected.
Select the following options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1] option, and the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option are also selected.Click Next. The Configure JDBC Component Schema appears.
The screen displays a list of the following component schemas:
SOA Infrastructure
User Messaging Service
OAAM Admin Schema
OAAM Admin MDS Schema
APM Schema
APM MDS Schema
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
OAM Infrastructure
OIM Schema
On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Internet Directory and Oracle Virtual Directory is configured to support Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=acme,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=acme,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
This section discusses how to configure Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) in different scenarios:
It includes the following sections:
Scenario 1: OIM with LDAP Sync, and OAM in a New WebLogic Domain
Scenario 2: OIM with LDAP Sync, and OAM, in an Existing Domain Containing OID and OVD
Scenario 3: OIM with LDAP Sync, and OAM, in a Domain Containing OAAM, OAPM, and OIN
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Identity Manager and Oracle Access Manager
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Set up LDAP sync for Oracle Identity Manager
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you may set up integration between Oracle Identity Manager and Oracle Access Manager (OAM) at a later time. You can set up this integration, as described in Integration Between OIM and OAM.
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Managed Servers for Oracle Identity Manager and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console on the Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation of the Oracle Identity Management 11g software.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in a new WebLogic domain:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script on UNIX (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, RDBMS Security Store, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Identity Manager and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can use one of the following options:
You can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.
The admin can create it using Oracle Directory Services Manager (ODSM)
Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you have installed and configured Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD). At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager (OAM), as described in Integration Between OIM and OAM.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in an existing Oracle Identity Management 11.1.1.3.0 domain that contains Oracle Internet Directory and Oracle Virtual Directory:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Select a JMS Distributed Destination Type, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager and Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can use one of the following options:
You can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.
The admin can create it using Oracle Directory Services Manager (ODSM)
Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where other Oracle Identity Management products, such as Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN) are installed and configured.
At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.
You can use Oracle Identity Navigator to discover and launch Consoles for the Oracle Identity Management products from within the Oracle Identity Navigator user interface.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in an existing Oracle Identity Management domain that contains Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] and Oracle JRF - 11.1.1.0 [oracle_common].Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Schema, the APM Schema, the APM MDS Schema, or the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.
A new WebLogic domain to support Oracle Authorization Policy Manager and Oracle Adaptive Access Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Authorization Policy Manager and Oracle Adaptive Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Select a JMS Distributed Destination Type, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Authorization Policy Manager and Oracle Adaptive Access Manager, and Oracle Identity Navigator is extended to support Oracle Identity Manager and Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This topic describes how to configure Oracle Identity Manager (OIM) with LDAP Synchronization, Oracle Access Manager (OAM), and Oracle Adaptive Access Manager (OAAM) in a new or existing WebLogic domain.
It includes the following sections:
Scenario 1: OIM with LDAP Sync, and OAM in a New WebLogic Domain
Scenario 2: Configuration in a Domain Containing OID and OVD
Scenario 3: Configuration in a Domain Containing OAPM and OIN
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Set up LDAP sync for Oracle Identity Manager
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization, Oracle Access Manager, and Oracle Adaptive Access Manager:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you may set up integration between Oracle Identity Manager and Oracle Access Manager (OAM) at a later time, as described in Integration Between OIM and OAM.
You may add other Oracle Identity Management products, such as Oracle Authorization Policy Manager and Oracle Identity Navigator at a later time in the same domain.
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, and Oracle Access Manager in a new WebLogic domain:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script on UNIX (<IDM_Home>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle JRF - 11.1.1.0 [oracle_common] and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2} option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Schema, the OAAM Admin MDS Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, RDBMS Security Store, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Select JMS Distributed Destination Type, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) with LDAP Synchronization in an environment where you have installed and configured Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD). At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager with LDAP Synchronization in an existing Oracle Identity Management 11.1.1.3.0 domain that contains Oracle Internet Directory and Oracle Virtual Directory:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2} option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Select a JMS Distributed Destination Type, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Access Manager (OAM), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) with LDAP Synchronization, in an environment where other Oracle Identity Management products, such as Oracle Authorization Policy Manager (OAPM) and Oracle Identity Navigator (OIN) are installed and configured.
At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.
You can use Oracle Identity Navigator to discover and launch Consoles for the Oracle Identity Management products from within the Oracle Identity Navigator user interface.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager with LDAP Synchronization, in an existing Oracle Identity Management domain that contains Oracle Authorization Policy Manager and Oracle Identity Navigator:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following option is also selected, by default: Oracle JRF - 11.1.1.0 [oracle_common].Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.
A new WebLogic domain to support Oracle Authorization Policy Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Authorization Policy Manager and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2} option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Authorization Policy Manager and Oracle Identity Navigator is extended to support Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section describes how to configure Oracle Identity Manager (OIM) with LDAP Sync to an existing Oracle Access Manager installation, which has Oracle Internet Directory (OID) configured as the LDAP provider.
It contains the following sections:
Scenario 2: Configuration in a Domain Containing OID and OVD
Scenario 3: Configuration in a Domain Containing OAAM, OAPM, and OIN
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Access Manager
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Configure Oracle Identity Manager
Set up LDAP sync for Oracle Identity Manager
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager installation, which has LDAP configured:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Access Manager is configured in a new WebLogic domain, which is extended to support Oracle Identity Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
A WebLogic Administration Server
Managed Servers for Oracle Access Manager and Oracle Identity Manager
Oracle Access Manager Console on the Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager installation, which has LDAP configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2], and click Next. The Select Domain Name and Location screen appears.
Note:
When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [Oracle_Common] option is also selected, by default.After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Select JMS Distributed Destination Type, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Access Manager is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Access Manager is configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Identity Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
Managed Servers for Oracle Access Manager and Oracle Identity Manager
Oracle Access Manager Console on the existing Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager installation, which has LDAP configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Access Manager is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform the configuration in this topic if you want to install Oracle Access Manager (OAM) in an existing Oracle Identity Management domain that contains Oracle Adaptive Access Manager (OAAM), Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN). You can configure Oracle Access Manager to use Oracle Internet Directory (OID) as the LDAP provider. Then you can add Oracle Identity Manager (OIM) to the same domain and set up LDAP Sync.
At a later time, you may set up integration between Oracle Identity Manager and Oracle Access Manager, as described in Integration Between OIM and OAM.
You can use Oracle Identity Navigator to discover and launch Consoles for the Oracle Identity Management products from within the Oracle Identity Navigator user interface.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Sync to an existing Oracle Access Manager installation, which has LDAP configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle JRF - 11.1.1.0 [oracle_common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], and Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2].Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.
A new WebLogic domain to support Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, and Deployments and Services. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is extended to support Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1]After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the OAAM Admin Schema, the User Messaging Service Schema, the OIM Schema, the OWSM MDS Schema, the OIM MDS Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section describes how to configure Oracle Identity Manager (OIM) with LDAP Sync to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has Oracle Internet Directory (OID) configured as the LDAP provider.
It contains the following sections:
Scenario 2: Configuration in a Domain Containing OID and OVD
Scenario 3: Configuration in a Domain Containing OAAM, OAPM, and OIN
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Access Manager and Oracle Adaptive Access Manager
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Configure Oracle Identity Manager
Set up LDAP sync for Oracle Identity Manager
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Access Manager and Oracle Adaptive Access Manager are configured in a new WebLogic domain, which is extended to support Oracle Identity Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
A WebLogic Administration Server
Managed Servers for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script on UNIX (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] and Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] options.
Note:
When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF 11.1.1.0 [Oracle_Common] option is also selected, by default.When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM1] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common] and Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, or the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Target deployments and services to servers or clusters.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Adaptive Access Manager and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Adaptive Access Manager and Oracle Access Manager. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1], and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Adaptive Access Manager and Oracle Access Manager is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Access Manager and Oracle Adaptive Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Identity Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
Managed Servers for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Synchronization, to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, or the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Access Manager and Oracle Adaptive Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1] and Oracle WSM Policy Manager - 11.1.1.0 [oracle_common].After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the SOA Infrastructure Schema, the User Messaging Service Schema, the OWSM MDS Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OIM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Access Manager and Oracle Adaptive Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager and Oracle Identity Navigator. This domain is extended to support Oracle Identity Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider before configuring LDAP Sync for Oracle Identity Manager.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Identity Manager with LDAP Sync to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.
A new WebLogic domain to support Oracle Authorization Policy Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Enterprise Manager - 11.1.1.0 [oracle_common] option and the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option are also selected, by default.After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema, the OAAM Admin Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, and Deployments and Services. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Authorization Policy Manager and Oracle Identity Navigator is extended to support Oracle Access Manager and Oracle Adaptive Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1]After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the OAAM Admin Schema, the User Messaging Service Schema, the OIM Schema, the OWSM MDS Schema, the OIM MDS Schema, the APM Schema, the APM MDS Schema, the OAAM Admin MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section describes how to add Oracle Access Manager to an existing Oracle Identity Manager (OIM) installation, which has LDAP Sync configured. It also describes how to configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP provider.
It contains the following sections:
Scenario 2: Configuration in a Domain Containing OID and OVD
Scenario 3: Configuration in a Domain Containing OAAM, OAPM, and OIN
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Identity Manager
Set up LDAP Sync for Oracle Identity Manager
Configure Oracle Access Manager
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Identity Manager with LDAP Synchronization to an existing Oracle Access Manager and Oracle Adaptive Access Manager installation, which has LDAP configured:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Identity Manager is configured in a new WebLogic domain, which is extended to support Oracle Access Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
A WebLogic Administration Server
Managed Servers for Oracle Identity Manager and Oracle Access Manager
Oracle Access Manager Console on the Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager to an existing Oracle Identity Manager installation with LDAP Sync:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script on UNIX (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2].
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default:Oracle JRF 11.1.1.0 [Oracle_Common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1].
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Target deployments and services to servers or clusters.
Optional: Configure JMS File Store, as required.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Identity Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Identity Manager is extended to support Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Identity Manager is configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Access Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
Managed Servers for Oracle Access Manager and Oracle Identity Manager
Oracle Access Manager Console on the existing Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager to an existing Oracle Identity Manager installation, which has LDAP Sync set up:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option and the Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1] option are also selected, by default.After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Internet Directory, and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity Manager Server configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Identity Manager is configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator. This domain is extended to support Oracle Access Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Access Manager in an existing Oracle Identity Manager with LDAP Sync installation:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.
A new WebLogic domain to support Oracle Authorization Policy Manager, Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAM Infrastructure Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Adaptive Access Manager, and Oracle Identity Navigator is extended to support Oracle Access Manager.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section describes how to add Oracle Adaptive Access Manager to an existing Oracle Access Manager and Oracle Identity Manager (OIM) installation, which has LDAP Sync configured. It also describes how to configure Oracle Access Manager to use Oracle Internet Directory (OID) as its LDAP provider.
It contains the following sections:
Scenario 2: Configuration in a Domain Containing OID and OVD
Scenario 3: Configuration in a Domain Containing OAAM, OAPM, and OIN
In this section, you perform the following tasks:
Install and configure Oracle Internet Directory and Oracle Virtual Directory
Install and configure Oracle Identity Manager and Oracle Access Manager
Configure Oracle Access Manager to use Oracle Internet Directory as the LDAP provider
Set up LDAP Sync for Oracle Identity Manager
Configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager
The following lists the prerequisites for installing and configuring Oracle Adaptive Access Manager to an existing Oracle Access Manager Oracle Identity Manager installation with LDAP sync:
Install a supported version of Oracle Database, as described in Installing Oracle Database.
Create and load database schemas, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Install Oracle WebLogic Server 10.3.3 and creating a Middleware Home, as described in Installing Oracle WebLogic Server 10.3.3 and Creating the Oracle Middleware Home
Ensure that the Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) are installed, as described in Installing OID, OVD, ODSM, ODIP, and OIF (11.1.1.5.0).
An IDM_Home directory, such as Oracle_IDM1, is created. This directory is the Oracle Home for Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), and Oracle Directory Services Manager (ODSM).
Configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in a WebLogic administration domain, as described in OID and OVD with ODSM in a New WebLogic Domain.
Install Oracle Identity Management 11g Release 1 (11.1.1) suite containing Oracle Identity Manager (OIM), Oracle Access Manager (OAM) Oracle Adaptive Access Manager, Oracle Authorization Policy Manager (OAPM), and Oracle Identity Navigator (OIN), as described in Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0).
An IDM_Home directory, such as Oracle_IDM2, is created. This directory is the Oracle Home for Oracle Identity Manager (OIM) and Oracle Access Manager (OAM).
Note:
It is assumed that you are installing and configuring Oracle Internet Directory (OVD), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Access Manager (OAM) on the same machine. Therefore, two distinct IDM_Home directories are mentioned in this chapter.Install the latest version of Oracle SOA Suite under the same Middleware Home, and patch the Oracle SOA Suite to the latest version, as described in Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only)
This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Identity Manager and Oracle Access Manager are configured in a new WebLogic domain, which is extended to support Oracle Adaptive Access Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
A WebLogic Administration Server
Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Adaptive Access Manager to an existing Oracle Access Manager and Oracle Identity Manager installation with LDAP Sync:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script on UNIX (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2].
Select Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2].
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default:Oracle JRF 11.1.1.0 [Oracle_Common], Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.0 [Oracle_SOA1].
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, the OAM Infrastructure Schema, or the OIM Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Target deployments and services to servers or clusters.
Optional: Configure JMS File Store, as required.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
A new WebLogic domain to support Oracle Identity Manager and Oracle Access Manager is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager and Oracle Access Manager. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OIM MDS Schema, the OWSM MDS Schema, the SOA MDS Schema, or the OIM Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Identity Manager and Oracle Access Manager is extended to support Oracle Adaptive Access Manager.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Identity Manager and Oracle Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Internet Directory and Oracle Virtual Directory. This domain is extended to support Oracle Adaptive Access Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.
Performing this configuration deploys the following:
Managed Servers for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Adaptive Access Manager in an existing Oracle Identity Management installation, which has Oracle Internet Directory, Oracle Access Manager, Oracle Identity Manager, and Oracle Virtual Directory configured:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM1>/bin/config.sh
on UNIX operating systems to start the Oracle Identity Management Configuration Wizard. On Windows, run the <Oracle_IDM1>\bin\config.bat
to start the wizard.
On the Select Domain screen, select the Create New Domain option. Set the Administrator user name and password, as required.
Ensure that you select Oracle Internet Directory and Oracle Virtual Directory on the Configure Components screen.
Follow the wizard, provide the necessary input, and configure the domain.
A new WebLogic domain to support Oracle Internet Directory and Oracle Virtual Directory is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
Ensure that your Oracle database version is supported and you have installed the necessary patches. For more information, see Installing Oracle Database.
Ensure that any appropriate schemas required by Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager are created and loaded, as described in Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Ensure that the Oracle Identity Management 11g software is installed. Refer to Installing OIM, OAM, OAAM, OAPM, and OIN (11.1.1.3.0) for more information. A new Oracle Home for Oracle Identity Management, such as Oracle_IDM2
, is created under the Middleware Home directory.
Ensure that the latest version of Oracle SOA Suite is installed under the same Middleware Home. Refer to Installing the Latest Version of Oracle SOA Suite (Oracle Identity Manager Users Only) for more information.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management 11.1.1.3.0 domain in which you configured Oracle Internet Directory and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] option, and the Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1] option are also selected, by default.After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OAM Infrastructure Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management 11.1.1.1.3.0 domain with Oracle Internet Directory and Oracle Virtual Directory is extended to support Oracle Identity Manager and Oracle Access Manager.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com" ,ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Internet Directory, Oracle Access Manager, and Oracle Virtual Directory. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2] option is also selected, by default.After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the SOA Infrastructure Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OAM Infrastructure Schema, the User Messaging Service Schema, the OIM MDS Schema, the OWSM MDS Schema, the OIM Schema, or the SOA MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Access Manager, Oracle Internet Directory, and Oracle Virtual Directory is extended to support Oracle Adaptive Access Manager.
Restart the Administration Server, as described in Restarting Servers.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).This section discusses the following topics:
Perform configuration in this section for Oracle Identity Management environments that have the following conditions:
Oracle Internet Directory, Oracle Virtual Directory, Oracle Adaptive Access Manager, Oracle Access Manager, and Oracle Identity Manager are installed on the same machine.
Oracle Identity Manager and Oracle Access Manager are configured in the existing Oracle Identity Management domain containing Oracle Authorization Policy Manager, and Oracle Identity Navigator. This domain is extended to support Oracle Adaptive Access Manager at a later time.
Oracle Access Manager is configured to use Oracle Internet Directory as the LDAP provider after configuring LDAP Sync for Oracle Identity Manager.
Performing the configuration in this section deploys the following:
Managed Servers for Oracle Identity Manager, Oracle Adaptive Access Manager, and Oracle Access Manager
Oracle Identity Administration Console, Oracle Identity Manager Self Service Console, and Oracle Identity Manager Advanced Administration Console on the Oracle Identity Manager Managed Server
Oracle Access Manager Console and Oracle Adaptive Access Manager Console on the existing Administration Server
The configuration in this section depends on the following:
Oracle WebLogic Server.
Installation and configuration of Oracle Internet Directory and Oracle Virtual Directory.
Installation of the Oracle Identity Management 11g software.
Installation of the latest version of Oracle SOA Suite (required by Oracle Identity Manager).
Database schemas for Oracle Identity Manager, Oracle SOA Suite, Oracle Adaptive Access Manager, and Oracle Access Manager. For more information, see Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU).
Perform the following steps to configure Oracle Adaptive Access Manager in an existing Oracle Identity Management installation, which has Oracle Identity Manager with LDAP Sync, Oracle Access Manager, Oracle Authorization Policy Manager, and Oracle Identity Navigator:
Ensure that all the prerequisites, listed in Prerequisites, are satisfied. In addition, see Important Notes Before You Begin.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen is displayed.
On the Select Domain Source screen, select the following domain configuration options:
Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2]
Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2]
Oracle Identity Navigator - 11.1.1.3.0 [Oracle_IDM2]
Note:
When you select the Oracle Authorization Policy Manager - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.When you select the Oracle Identity Manager - 11.1.1.3.0 [Oracle_IDM2] option, the following options are also selected, by default: Oracle Enterprise Manager - 11.1.1.0 [oracle_common], Oracle WSM Policy Manager - 11.1.1.0 [oracle_common], and Oracle SOA Suite - 11.1.1.3.0 [Oracle_SOA1]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.
Choose JRockit SDK 160_17_R28.0.0-679
and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.Tthe Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OAM Infrastructure Schema, the OIM MDS Schema, the OIM Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Administration Server, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Select the relevant check boxes and click Next.
Optional: Configure Administration Server, as required.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain. After the domain configuration is complete, click Done to dismiss the wizard.
A new WebLogic domain to support Oracle Authorization Policy Manager, Oracle Identity Manager, Oracle Access Manager, and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains
directory (on Windows), by default. On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory, by default.
Set up LDAP Synchronization for Oracle Identity Manager, as described in Setting Up LDAP Synchronization.
Verify LDAP Synchronization, as described in Verifying the LDAP Synchronization.
Start the WebLogic Administration Server and Managed Servers (Oracle Identity Manager and Oracle Access Manager), as described in Starting the Stack.
Configure Oracle Access Manager (OAM) to use Oracle Internet Directory (OID) as an LDAP provider by running the createUserIdentityStore
WLST command:
On the command line, use the cd command to move from your present working directory to the Oracle_IDM2/common/bin
directory. Oracle_IDM2 is the IDM_Home for Oracle Identity Manager and Oracle Access Manager.
Launch the WebLogic Scripting Tool (WLST) interface as follows:
On UNIX: Run ./wlst.sh
on the command line.
On Windows: Run wlst.cmd
.
At the WLST command prompt (wls:/offline>
), type the following:
connect()
You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Run the createUserIdentityStore
WLST command, as in the following example:
createUserIdentityStore(name="OAMOIDIdStoreForOIM",principal="cn=orcladmin", credential="welcome1", type="LDAP", userAttr="uid", ldapProvider="OID", roleSecAdmin="OAMAdministrators", userSearchBase="cn=Users,dc=us,dc=oracle,dc=com",ldapUrl="ldap://<oid host>:<oid port>" ,isPrimary="true" ,userIDProvider="OracleUserRoleAPI" , groupSearchBase="cn=Groups,dc=us,dc=oracle,dc=com")
Note:
Users that are members of the group specified in theroleSecAdmin
attribute are allowed access to the Oracle Access Manager Administration Console. This group must exist under the Directory Information Tree (DIT) specified in the groupSearchBase
attribute. If the group is not available, you can specify the user name, such as orcladmin
, who will have access to the Oracle Access Manager Administration Console. Note that only the user specified in this attribute will have access to the Oracle Access Manager Administration Console.Alternatively, you can use the Oracle Access Manager Administration Console, deployed on the Administration Server, to configure Oracle Internet Directory as an LDAP provider for Oracle Access Manager. For more information, see the "Managing User-Identity Store and OAM Administrator Registrations" topic in the guide Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Run the <Oracle_IDM2>/common/bin/config.sh
script (on UNIX). (<Oracle_IDM2>\common\bin\config.cmd
on Windows). The Oracle Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.
On the Select a WebLogic Domain Directory screen, select the Oracle Identity Management domain in which you configured Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Access Manager, and Oracle Identity Navigator. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the following domain configuration options:
Oracle Adaptive Access Manager Admin Server - 11.1.1.3.0 [Oracle_IDM2]
After selecting the domain configuration options, click Next. The Specify Domain Name and Location screen is displayed.
On the Specify Domain Name and Location screen, select a location to store the applications in the domain. Click Next. The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select a component schema, such as the APM Schema, the OAM Infrastructure Schema, the SOA Infrastructure Schema, the SOA MDS Schema, the OIM MDS Schema, the OIM Schema, the OAAM Admin Schema, the OAAM Admin MDS Schema, the OWSM MDS Schema, the User Messaging Service Schema, or the APM MDS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines, Deployments and Services, and JMS File Store. Select the relevant check boxes and click Next.
Optional: Configure Managed Servers, as required.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to Clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure JMS File Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Management domain with Oracle Identity Manager, Oracle Authorization Policy Manager, Oracle Access Manager, and Oracle Identity Navigator is extended to support Oracle Adaptive Access Manager.
Start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.
Configure Oracle Identity Manager Server, as described in Configuring OIM Server. When configuring Oracle Identity Manager Server, ensure that you select the Enable LDAP Sync option on the LDAP Sync and OAM Screen in the Oracle Identity Manager Configuration Wizard.
Follow the wizard and the steps described in Configuring OIM Server to complete the Oracle Identity ManagerServer configuration. Similarly, follow the wizard to configure Oracle Identity Manager Design Console (Windows only) and to configure Oracle Identity Manager Remote Server, as described in Configuring OIM Design Console, and Configuring OIM Remote Manager.
Note:
If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only).