Dec 27 15

Installing and Configuring Oracle Identity Manager R2 PS3

Tamim Khan

In this article describe the step by step installation Oracle Identity Manager11g R2 PS3. Assuming all the environment settings has been configuring properly according to the oracle best practice.

Make sure that the below db parameters are updated with the values given below

AL32UTF8 (Unicode) as the database character set.
SHARED_POOL_SIZE is greater than or equal to 147456KB.
SGA_MAX_SIZE is greater than or equal to 4294967296.
DB_BLOCK_SIZE is greater than or equal to 8KB
OPEN_CURSOR = 1600
PROCESSES=500

1.    DOWNLOAD INSTALLATION MEDIA

Download URL of Oracle Identity and Access Management 11g R2 PS3 and Oracle Fusion Middleware Repository Creation Utility 11g (11.1.1.9.0):
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html

image001

2.    SET ENVIRONMENT VARIABLE FOR ORACLE USER

#Host
export ORACLE_HOSTNAME=iamr2ps3.tigeritbd.com

#WebLogic
export APP_SERVER=weblogic
export MW_HOME=/oracle/Middleware
export WL_HOME=$MW_HOME/wlserver_10.3
export WLS_HOME=$WL_HOME/server
export ANT_HOME=$MW_HOME/modules/org.apache.ant_1.7.1
export OIM_DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMGovernanceDomain

#Java
export JAVA_VENDOR=ORACLE-JDK
export JAVA_HOME=/usr/java/jdk1.7.0_79

#SOA
export SOA_ORACLE_HOME=$MW_HOME/soa_home

#ORACLE IAM
export IAM_ORACLE_HOME=$MW_HOME/iam_home
export IAM_HOME=$IAM_ORACLE_HOME
export XL_HOME=$OIM_ORACLE_HOME/server
export DC_HOME=$OIM_ORACLE_HOME/designconsole
export RM_HOME=$OIM_ORACLE_HOME/remote_manager

#ORACLE COMMON HOME
export COMMON_ORACLE_HOME=$MW_HOME/oracle_common/common

#LOG File 
export OIM_LOG_DIR=$OIM_DOMAIN_HOME/servers/oim_server1/logs
export SOA_LOG_DIR=$OIM_DOMAIN_HOME/servers/soa_server1/logs

#Library
export PATH=$PATH:$ORACLE_HOME/bin:$SOA_ORACLE_HOME/bin:$IAM_ORACLE_HOME/bin:$ANT_HOME/bin:/sbin:/bin:/usr/sbin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$SOA_ORACLE_HOME/lib:$IAM_ORACLE_HOME/lib:/lib:/usr/lib
export CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib

3.    INSTALL A CERTIFIED JDK

1.    Make sure that execute permissions are set
2.    Run this command as a root user: rpm -ivh jdk-7u79-linux-x64.rpm
3.    Checking Java version using java –version and which java is using.

4.    MODIFY THE DATABASE SYSTEM PARAMETERS

Before running RCU modify database system parameter.

sqlplus / as sysdba
alter system set processes=500 scope=spfile;
alter system set open_cursors=1600 scope=spfile;
alter system set session_cached_cursors=500 scope=spfile;
alter system set session_max_open_files=50 scope=spfile;
alter system set aq_tm_processes=1 scope=spfile;
alter system set job_queue_processes=10 scope=spfile;
ALTER SYSTEM SET sga_max_size = 4294967296 scope=spfile;
shutdown immediate;
startup;

5.    CREATING DATABASE SCHEMA USING THE RCU

To create database schemas for Oracle Identity and Access Management 11g Release 2 PS3 (11.1.2.3.0) components, you must use the11g Release 2 (11.1.2.3.0) version of the Oracle Fusion Middleware Repository Creation Utility.

unzip ofm_rcu_linux_11.1.1.9.0_64_disk1_1of1.zip
Run “sh rcu” from rcuHome/bin
  1. Welcome: Click Next
  2. Create Repository: Select Create and Click next.
  3. Database Connection Details: Provide Database connection information
  4. Repository Creation Utility – Checking Prerequisites: If you are not using Oracle Database Enterprise edition then you have to ignore a warning message.
  5. Select Components: In our Environment we are using prefix “OIM”, then Select “Oracle Identity Manager” following component need to be select for OIM.

      Oracle AS Repository Components

  • AS Common Services
    • Metadata Services
    • Oracle Platform Security Service
  • Oracle Identity Manager
    • Identity Management
  • Oracle Business Intelligence
    • Oracle Business Intelligence Platform
  • SOA and BPM Infrastructure
    • SOA Infrastructure
    • User Messaging Service

N.B: Select Only Oracle Identity Manager, All required components will select automatically

image002 

6. Repository Creation Utility – Checking Prerequisites:

7. Schema Passwords: In our case we are using one password for all schemas

8. Map Tablespaces: Click Nex

9. Repository Creation Utility – Creating Tablespace

10. Summary: Click Next

11. Completion Summary: Click Close

Alter Default profile Password life time unlimited.

SELECT USERNAME, PROFILE FROM DBA_USERS Where USERNAME Like ‘OIM%’;

SELECT resource_name, limit
FROM  dba_profiles
where profile='DEFAULT'
  and resource_type='PASSWORD';
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

image003

6. Install WebLogic Server

Assuming Weblogic Server is installing in /oracle/Middleware during the time of OUD installation, if not then follow the steps from previous article Installing and Configuring Oracle Unified Directory 11g.

7. Install Oracle SOA Suite

Install certified Oracle SOA Suite 11g Release 1 (11.1.1.9.0)

Download V75849-01_1of2.zip and V75849-01_2of2.zip from https://edelivery.oracle.com

Then unzip the package, go to Disk1 and run runInstaller

$ ./runInstaller -jreloc $JAVA_HOME

Welcome

image004

Install Software Updates: Select Skip Software Updates and then click next.

image005

Prerequisite Checks: Make sure all the check is passing successfully.

image006

Specify Installation Location: Middleware home in /oracle/Middleware and SOA Home directory in soa_home as set the environment variable.

image007

Application Server: Select Weblogic Server and Click next

image008

Installation Summary:

image009

Installation Progress:

image010

Installation Complete:

image011

8. Install Oracle Identity Manager 11g R2 PS2

Packege Name: 
unzip ofm_iam_generic_11.1.2.3.0_disk1_1of3.zip 
ofm_iam_generic_11.1.2.3.0_disk1_2of3.zip 
ofm_iam_generic_11.1.2.3.0_disk1_3of3.zip
$ ./runInstaller -jreloc $JAVA_HOME
Starting Oracle Universal Installer...

Checking if CPU speed is above 300 MHz.    Actual 2394 MHz    Passed
Checking Temp space: must be greater than 150 MB.   Actual 70200 MB    Passed
Checking swap space: must be greater than 512 MB.   Actual 15404 MB    Passed
Checking monitor: must be configured to display at least 256 colors.    Actual 16777216    Passed

Welcome:

image012

Install Software Updates:

image013

Prerequisite Checks:

image014

Specify Installation Location:

image015

Installation Summary:

image016

Installation Progress:

image017

Installation Complete:

image018

8. Create an IAM Governance Domains

Run the configuration wizard from the following location:

$MW_HOME/oracle_common/common/bin/config.sh

Welcome: Select “Create a New Weblogic domain” and click Next.

image019

Select Domain Source: Select only “Oracle Identity Manager” rest of the required component will select automatically.

image020

Specify Domain Name and Location: In Our case we are using IAMGovernanceDomain as a domain name.

image021

Configure Administrator User Name and Password: Name weblogic and password

Note: Do not change the user name “weblogic”.

image022

Configure Server Start Mode and JDK:

image023

Configure JDBC Component Schema: Provide DB Host name, SID and TNS Port, do not forget to change schema prefix according to RCU.

image024

Test JDBC Component Schema: Make sure all the test is status is successful

image025

Select Optional Configuration: Select Administration Server to change the admin server port if required.

image026

Configure the Administration Server: As we are using OUD/OAM in 7001 and 7002 so change the listen port to 7003 and 7004

image027

Configure Manage Servers:

image028

Configure Cluster:

image029

Assign Server to Machines:
image031

Configuration Summary: Click on Create Button to start the domain creation process

image032

Creating Domain:  After Successful domain Creation, click on done button to exit from weblogic domain creation utility.

image033

10. Configuring Database Security Store for an OIM Domain

Ensure the MW_HOME and IAM_HOME environment variable are set as bellow.

export MW_HOME=/oracle/Middleware
export IAM_HOME=/oracle/Middleware/iam_home
After that we call the configureSecurityStore.py script passing the following parameters:
-d domaindir: Location of the directory containing the domain.
-c configmode: The configuration mode of the domain. When configuring Database Security Store this value must be specified as IAM.
-p password: The OPSS schema password.
-m mode: create- Use create if you want to create a new database security store.

 

The full command will look like this:

$MW_HOME/oracle_common/common/bin/wlst.sh \
$IAM_HOME/common/tools/configureSecurityStore.py \
-d $MW_HOME/user_projects/domains/IAMGovernanceDomain -c IAM -p Tigerit1 -m create

After successful execution Info:  Create operation has completed successfully, is shown.

image034

image035

Validate Database Security Store 

$MW_HOME/oracle_common/common/bin/wlst.sh \
$IAM_HOME/common/tools/configureSecurityStore.py -d \
$MW_HOME/user_projects/domains/IAMGovernanceDomain -m validate

image036

11. Start Weblogic Admin Server and SOA Server

  • Start Weblogic Admin Server
  $ $OIM_DOMAIN_HOME/bin/startWebLogic.sh
  • Before start SOA server perform the following steps [one time task]
  $ cd $OIM_DOMAIN_HOME/servers
  $ mkdir -p soa_server1/security
  $ cp AdminServer/security/boot.properties soa_server1/security/
  • Start SOA Server
  $OIM_DOMAIN_HOME/bin/startManagedWebLogic.sh soa_server1

Wait until the Admin Server and SOA Server Running Mode

12. Configuring Oracle Identity and Access Management Products

Run config.sh from $IAM_ORACLE_HOME/bin/config.sh

Welcome

image037

Component to Configure:

image038

Database:

image039

Weblogic Admin Server:

image040

OIM Server:

image041

OIM Server Host and Port

image042

Remote Manager

image043

Configuration Summary

image044

Configuration Progress

image045

Configuration Complete

image046

13. Start OIM Server

Before start OIM manage server perform following steps to copy boot.properties from admin server to oim manage server to omit prompt user name and password when start manage server every time.

$ cd $OIM_DOMAIN_HOME/servers
$ mkdir -p oim_server1/security
$ cp AdminServer/security/boot.properties oim_server1/security/

Start OIM Server

$OIM_DOMAIN_HOME/bin/startManagedWebLogic.sh oim_server1

Wait until the OIM Server Running Mode.

IAM R2 PS3 came up with integrated BI Publisher.

14. Start BI Server

Before start BI manage server perform following steps to copy boot.properties from admin server to BI manage server to omit prompt user name and password when start manage server every time.

$ cd $OIM_DOMAIN_HOME/servers
$ mkdir -p bi_server1/security
$ cp AdminServer/security/boot.properties bi_server1/security/

Start BI Server

$OIM_DOMAIN_HOME/bin/startManagedWebLogic.sh bi_server1

Wait until the BI Server Running Mode.

15. Verify Weblogic and SOA Web Console

Weblogic Admin Console

URL: http://<hostname>.com:7003/console/
Login as an webogic User, Which is Weblogic Admin User for weblogic.

image048

Weblogic Enterprise Manager

URL: http://<hostname>:7001/em

image050

SOA infrastructure

URL: http://<hostname>:8001/soa-infra/

image051

SOA Composer

URL: http://<hostname>:8001/soa/composer/faces/home

image053

16. Verify OIM web Console

URL: http://<hostname>:14000/oim

OIM self-service

image054

OIM Password Management

image055

OIM Self Service Home page

image056

 

OIM System Administration Console

URL: http://<hostname>:14000/sysadmin/

image057

image058

17. Verify BI web Console

URL: http://<hostname>:9704/xmlpserver

image059

18. POST Installation Task for OIM

Create wljarbuilder.jar

  1. Create wlfullclient.jar file. Change directories to the server/lib directory.
  $ cd $WL_HOME/server/lib
  1. Use the following command to create wlfullclient.jar in the server/lib directory:
  $ java -jar wljarbuilder.jar
  1. Copy the wlfullclient.jar file into $IAM_HOME/designconsole/ext/
     $ cp $WL_HOME/server/lib/wlfullclient.jar $IAM_ORACLE_HOME/designconsole/ext/
  1. Run Design console
     cd $IAM_ORACLE_HOME/designconsole/
     sh xlclient.sh

image060

image061

image062

Dec 27 15

Installing and Configuring Oracle Access Manager R2 (11.1.2.3.0) PS3

Tamim Khan

1. INTRODUCTION

In this document describe the step by step installation Oracle Access Manager11g R2 PS2. Assuming all the environment settings has been configuring properly according to the oracle best practice. Also assuming that OUD is already install in configure according to the previous document.

Make sure that the below db parameters are updated with the values given below

 AL32UTF8 (Unicode) as the database character set.
 SHARED_POOL_SIZE is greater than or equal to 147456KB.
 SGA_MAX_SIZE is greater than or equal to 147456KB.
 DB_BLOCK_SIZE is greater than or equal to 8KB
 OPEN_CURSOR = 800
 PROCESSES=500

2. DOWNLOAD INSTALLATION MEDIA

Download URL of Oracle Identity and Access Management 11g R2 PS3 and Oracle Fusion Middleware Repository Creation Utility 11g (11.1.1.9.0):
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html

image001

Operating system certification

Oracle-7,redhat-7,redhat-6,oracle-6,oracle-5.6,enterprise-5.4,enterprise-4,enterprise-5,redhat-5.4,redhat-4,redhat-5,SuSE-10,SuSE-11

Recommended operating system packages

binutils-2.20.51.0.2-5.11.el6-x86_64
compat-libcap1-1.10-1-x86_64
compat-libstdc++-33-3.2.3-69.el6-x86_64
compat-libstdc++-33-3.2.3-69.el6-i686
libgcc-4.4.4-13.el6-i686
libgcc-4.4.4-13.el6-x86_64
libstdc++-4.4.4-13.el6-x86_64
libstdc++-4.4.4-13.el6-i686
libstdc++-devel-4.4.4-13.el6-x86_64
sysstat-9.0.4-11.el6-x86_64
gcc-4.4.4-13.el6-x86_64
gcc-c++-4.4.4-13.el6-x86_64
glibc-2.12-1.7.el6-i686
glibc-2.12-1.7.el6-x86_64
glibc-devel-2.12-1.7.el6-x86_64
glibc-devel-2.12-1.7.el6
libaio-0.3.107-10.el6-x86_64
libaio-devel-0.3.107-10.el6-x86_64

Package Installed Check

xorg-x11-apps 
xterm 
openmotif 
sopenmotif22

3. SET ENVIRONMENT VARIABLE FOR ORACLE USER

#WebLogic
export APP_SERVER=weblogic
export MW_HOME=/oracle/Middleware
export WL_HOME=$MW_HOME/wlserver_10.3
export WLS_HOME=$WL_HOME/server
export ANT_HOME=$MW_HOME/modules/org.apache.ant_1.7.1
export DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMAccessDomain
export OAM_DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMAccessDomain

#ORACLE IAM
export IAM_ORACLE_HOME=$MW_HOME/iam_home
export IAM_HOME=$IAM_ORACLE_HOME
export XL_HOME=$OIM_ORACLE_HOME/server
export DC_HOME=$OIM_ORACLE_HOME/designconsole
export RM_HOME=$OIM_ORACLE_HOME/remote_manager

#ORACLE COMMON HOME
export COMMON_ORACLE_HOME=$MW_HOME/oracle_common/common

#Java
export JAVA_VENDOR=ORACLE-JDK
export JAVA_HOME=/usr/java/jdk1.7.0_79

4. INSTALL A CERTIFIED JDK

1.    Make sure that execute permissions are set
2.    Run this command as a root user: rpm -ivh jdk-7u79-linux-x64.rpm
3.    Checking Java version using java –version and which java is using.

5. MODIFY DATABASE SYSTEM PARAMETER

sqlplus / as sysdba
alter system set processes=500 scope=spfile;
alter system set open_cursors=800 scope=spfile;
alter system set session_cached_cursors=500 scope=spfile;
alter system set session_max_open_files=50 scope=spfile;
alter system set aq_tm_processes=1 scope=spfile;
alter system set job_queue_processes=10 scope=spfile;
shutdown immediate;
startup;

6. CREATING DATABASE SCHEMA USING THE RCU

To create database schemas for Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) components, you must use the11g Release 2 (11.1.2.3.0) version of the Oracle Fusion Middleware Repository Creation Utility.
Run RCU in Database machine.

unzip ofm_rcu_linux_11.1.1.9.0_64_disk1_1of1.zip
Run “sh rcu” from rcuHome/bin

Welcome:
image002

Create Repository: Select Create and Click next.

image003

Database Connection Details: Provide Database connection information as shown below.

image004

Repository Creation Utility – Checking Prerequisites: If you are not using Oracle Database Enterprise edition then you have to ignore a warning message.

image005

Select Components:
In our Environment we are using prefix “OAM”, following component need to be select for OAM.
1.    Oracle AS Repository Components
a.    AS Common Services
i.    Metadata Services
ii.    Audit Services
iii.    Oracle Platform Security Service
2.    Identity Management
a.    Oracle Access Manager
b.    Oracle Mobile Security Manager

N.B: Select Oracle Access Management, All required components will select automatically. If you need Oracle Adaptive Access Manager then select that component also.

image006

Repository Creation Utility – Checking Prerequisites:

image007

Schema Passwords: In our case we are using one password for all schemas.

image008

Map Tablespaces:

image009

Repository Creation Utility – Confirmation

image010

Repository Creation Utility – Creating Tablespaces

image011

Summary

image012

Completion Summary

image013

Alter Default profile Password life time unlimited.

SELECT USERNAME, PROFILE FROM DBA_USERS Where USERNAME Like 'OAM%'; 
SELECT resource_name, limit 
FROM dba_profiles 
where profile='DEFAULT'
  and resource_type='PASSWORD'; 
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

7. INSTALL WEBLOGIC SERVER

Assuming Weblogic Server is installing in /oracle/Middleware during the time of OUD installation, if not then follow the steps from previous article Installing and Configuring Oracle Unified Directory 11g.

8. INSTALL ORACLE IDENTITY AND ACCESS MANAGER 11G R2 PS3


Unzip Packege: 
ofm_iam_generic_11.1.2.3.0_disk1_1of3.zip
ofm_iam_generic_11.1.2.3.0_disk1_2of3.zip
ofm_iam_generic_11.1.2.3.0_disk1_3of3.zip
$ ./runInstaller -jreloc $JAVA_HOME
 Starting Oracle Universal Installer...
 Checking if CPU speed is above 300 MHz.    Actual 2394 MHz    Passed
 Checking Temp space: must be greater than 150 MB.   Actual 70200 MB    Passed
 Checking swap space: must be greater than 512 MB.   Actual 15404 MB    Passed
 Checking monitor: must be configured to display at least 256 colors.    Actual 16777216    Passed

Welcome:

image014

Install Software Updates:

image015

Prerequisite Checks:

image016

Specify Installation Location:

image017

Installation Summary:

image018

Installation Progress:

image019

Installation Complete:

image020

9. CREATE AN OAM DOMAIN

Run the configuration wizard from the following location:

$MW_HOME/oracle_common/common/bin/config.sh

Welcome: Select “Create a New Weblogic domain” and click Next.

image021

Select Domain Source: Select “Oracle Access Management and Mobile Security Suite” rest of the required component will select automatically. Required component are Oracle Platform Security Service and Oracle JRF.

image022

Specify Domain Name and Location: In Our case we are using IAMAccessDomain as a domain name.

image023

Configure Administrator User Name and Password: Provide Administrative User Name OAMAdmin and password.

image024

Configure Server Start Mode and JDK:

image025

Configure JDBC Component Schema: Provide DB Host name, SID and TNS Port, do not forget to change schema prefix according to RCU.

image026

Test JDBC Component Schema: Make sure all the test is status is successful.

image027

Select Optional Configuration: Select Administration Server to change the admin server port

image028

Configure the Administration Server: Port: 7001 non ssl and 7002 ssl

image029

Configure Managed Servers:

image030

Configure Clusters: Accept the default if you not configuring it in cluster environment.  image031

Configure Machine: Accept the default if you not configuring it in cluster environment.

image032

Configuration Summary: Click on Create Button to start the domain creation process.

image033

Creating Domain: After Successful domain Creation, click on done button to exit from weblogic domain creation utility.

image034

Configuring Database Security Store for an IAM Domain
Ensure the MW_HOME and IAM_HOME environment variable are set as bellow.

export MW_HOME=/oracle/Middleware
export IAM_HOME=/oracle/Middleware/iam_home
After that we call the configureSecurityStore.py script passing the following parameters:
-d domaindir: Location of the directory containing the domain.
-c configmode: The configuration mode of the domain. When configuring Database Security Store this value must be specified as IAM.
-p password: The OPSS schema password.
-m mode: create- Use create if you want to create a new database security store.

The full command will look like this:
$MW_HOME/oracle_common/common/bin/wlst.sh \
$IAM_HOME/common/tools/configureSecurityStore.py \
-d $MW_HOME/user_projects/domains/IAMAccessDomain -c IAM -p <password> -m create

After successful execution Info:  Create operation has completed successfully, is shown.

image035

Validate Database Security Store  
$MW_HOME/oracle_common/common/bin/wlst.sh \
$IAM_HOME/common/tools/configureSecurityStore.py -d \
$MW_HOME/user_projects/domains/IAMAccessDomain -m validate

image036

10. START WEBLOGIC ADMIN SERVER AND OAM MANAGE SERVERS

Start Weblogic Admin Server

$OAM_DOMAIN_HOME/bin/startWebLogic.sh

Before start OAM Server copy boot.properties file in oam server security directory to Manage (start stop service) password less.

$ cd $OAM_DOMAIN_HOME/servers
$ mkdir -p oam_server1/security
$ cp AdminServer/security/boot.properties oam_server1/security

Start OAM Server

$OAM_DOMAIN_HOME/bin/startManagedWebLogic.sh oam_server1

VERIFY WEBLOGIC AND OAM WEB CONSOLE
Weblogic Admin Console
URL: https://<hostname>:7002/console

image037

image038

Oracle Access Manager Web Single Sign on page
http://<hostname>:7001/oamconsole/faces/login.jspx
Make sure Host name resolve by DNS.

image039

Oracle Access Manager Admin Console Login Page.
URL: http://hostname:7003/oamconsole
This Page will show in following two cases
1. when Access Manager Manage Server are separated from Admin Server (i.e.: Two Physical machines are  used) or
2. In case of same server (i.e.: Admin Server and Manage Server are configured in same machine) then oam manage server are down

image040

Oracle Access Manager Home Page

image041

11. CONFIGURE OUD FOR OAM AND OIM

Note: In the next article we are going to configure OIM Domian. We can Use LDAP Sync between OIM and OUD

Reference URL: https://docs.oracle.com/cd/E52734_01/oim/IDMIG/app_oid_oim.htm#IDMIG31790
LDAP Identity store (Oracle Unified Directory (OUD) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

1.Create a file (OUDContainers.ldif) which contain following information.

dn:cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:oracleAccounts
 objectClass:top
 objectClass:orclContainer
dn:cn=Users,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:Users
 objectClass:top
 objectClass:orclContainer
dn:cn=Groups,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:Groups
 objectClass:top
 objectClass:orclContainer
dn:cn=Reserve,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:Reserve
 objectClass:top
 objectClass:orclContainer

2. Import the containers into Oracle Unified Directory Server with ldapmodify command. This will create the user, group and reserve containers. Copy the script file (OUDContainers.ldif) in /home/oracle/oud_script/
Make sure OUD in running in OIM machine.
To create account in OUD run the following command:

$ cd $OUD_INSTANCE/bin
$ ./ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w <OUD Password> -c -v -f /home/oracle/oud_script/OUDContainers.ldif

Or you can import using Oracle Directory Services Manager as bellow:
image042

Select the OUDContainers.ldif file.

image043

image044

3. Configure OIM proxy users and aci to communicate with OUD after installing OUD. Create the Admin User, Group and the ACIs.
Create a file OIMAdmin.ldif in /home/oracle/oud_script which contains following entry:

dn: cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids

dn: cn=OIMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: OIMAdmin
givenname: OIMAdmin
sn: OIMAdmin
cn: OIMAdmin
uid: OIMAdmin
userPassword: <Provide your OIM Admin Passowrd>

dn: cn=AdminGroup,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: top
cn: AdminGroup
description: OIM administrator role
uniquemember: cn=OIMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com

dn: cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com")(targetattr =
 "*")(version 3.0; acl "Allow AdminGroup add, read and write access to
 all attributes"; allow (add, read, search, compare, write, delete, import, export)
 (groupdn = "ldap:///cn=AdminGroup,cn=systemids,dc=oud,dc=tigeritbd,dc=com");)

dn: cn=OIMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

To ensure OIM Admin User is create successfully, login to Directory Service Manager and search OIMAdmin.

You can also use ODSM for this import operation.

image045

4. Similarly import OAM Proxy users to communicate with OUD after installing OUD. Create the Admin User, Group and the ACIs.

dn: cn=OAMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: OAMAdmin
givenname: OAMAdmin
sn: OAMAdmin
cn: OAMAdmin
uid: OAMAdmin
userPassword: <Provide your passord>

dn: cn=AdminGroup,cn=systemids, dc=oud,dc=tigeritbd,dc=com 
changetype: modify
add: uniquemember
uniquemember: cn=OAMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com

image046

Verification
Verify using ldapsearch command:

$ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <OUD Password> -b "dc=oud,dc=tigeritbd,dc=com" "(objectclass=*)"

image047

Verify using Directory Service manager: http://<hostname>:7001/odsm

image048

5.    Enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server. Create a password file (/home/oracle/oud_script/passwd.txt.) and write OUD Password in this text file.

cd /home/oracle/oud_script
 echo ‘MyPassword’ > passwd.txt
 cd $OUD_INSTANCE/bin
 ./dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j /home/oracle/oud_script/passwd.txt -X -n set-password-policy-prop --policy-name 'Default Password Policy' --set lockout-failure-count:3

12. PREREQUISITES FOR ENABLING LDAP SYNCHRONIZATION

After installation of IAM run the following script to prepare OUD environment for LDAP Synchronization

cd $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/
$OUD_INSTANCE/bin/ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w "<OUD Password>" -f ojd_user_schema_add.ldif

image050

$OUD_INSTANCE/bin/ldapmodify -h localhost -p 4444 -D "cn=Directory Manager" -w "<OUD Password>" -Z -X -a -f ojd_user_index_generic.ldif

image051

$OUD_INSTANCE/bin/ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w "<OUD Password>" -f ojd_oam_pwd_schema_add.ldif

Rebuild the index Online

$OUD_INSTANCE/bin/rebuild-index -h localhost -p 4444 -D "cn=Directory Manager" -j /home/oracle/oud_script/passwd.txt -X --baseDN dc=oud,dc=tigerit,dc=com \
 --index obgroupadministrator \
 --index obid \
 --index oblocationdn \
 --index oblocationname \
 --index oblocationtitle \
 --index obrectangle \
 --index obdirectreports \
 --index obindirectmanager \
 --index obuseraccountcontrol \
 --index obparentlocationdn \
 --index obgroupcreator \
 --index obgroupsubscriptiontype \
 --index obgroupdynamicfilter \
 --index obgroupexpandeddynamic \
 --index obgroupsubscriptionfilter \
 --index obgroupsubscribemessage \
 --index obgroupunsubscribemessage \
 --index obgroupsubscribenotification \
 --index obgrouppuredynamic

image053

Finally when index rebuild is successful then it will display “Rebuild Index Task <Task Number> has been successfully completed”
Creating the Global ACI for OUD

cd $OUD_INSTANCE/bin
 ./dsconfig set-access-control-handler-prop \
 --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow(read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=AdminGroup,cn=groups,dc=oud,dc=tigeritbd,dc=com\";)" \
 --hostname localhost \
 --port 4444 \
 --trustAll \
 --bindDN cn="Directory Manager" \
 --bindPasswordFile /home/oracle/oud_script/passwd.txt \
 --no-prompt

image054

Verification of Global ACI:

./dsconfig -h localhost -p 4444 -D cn="Directory Manager" -j /home/oracle/oud_script/passwd.txt  -n \
  get-access-control-handler-prop \
  --trustAll \
  --property global-aci

Restart the OUD service using stop-ds and start-ds

12. USER IDENTITY STORE REGISTRATION WITH ORACLE UNIFIED DIRECTORY

Create a User Identity Store
1.    Go to Configuration-> User Identity Store
image055

2.    Click on “+Create” to create a User Identify Store image056

Store Name             : OUDIdentityStore
Store Type             : OUD: Oracle Unified Directory
Location               : <hostname>:1389
Bind DN                : cn=OAMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
Password               : Provide OAMAdmin User password
Login ID Attribute     : uid
User Password Attribute: userPassword
User Search Base       : cn=Users,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
User Filter Object Classes    : inetOrgPerson
Group Search Base      : cn=Groups,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com

image057
Click on Apply.

14. OAM POLICY MANAGER MANAGED SERVER

Start OAM Policy Manager
Before start OAM Server copy boot.properties file in oam server security directory to Manage (start stop service) password less.

$ cd $OAM_DOMAIN_HOME/servers
$ mkdir -p oam_policy_mgr1/security
$ cp AdminServer/security/boot.properties oam_policy_mgr1/security

Start OAM Policy Manager

$ OAM_DOMAIN_HOME/bin/startManagedWebLogic.sh oam_policy_mgr1

URL:  http://<hostname>:14150/access

Dec 27 15

Installing and Configuring Oracle Unified Directory 11g

Tamim Khan

Oracle Unified Directory can be managed by using the command line or by using the graphical Oracle Directory Services Manager (ODSM) interface. ODSM relies on Oracle WebLogic Server and on the Oracle Application Development Framework, so, if you plan to use ODSM you must install these components.

This section describes how to obtain and install Oracle Unified Directory, Oracle WebLogic Server, and the Oracle Application Development Framework. The ODSM bits are installed when you install Oracle Unified Directory but ODSM must be configured when you have installed Oracle WebLogic Server and the Oracle Application Development Framework.

1. DOWNLOAD INSTALLATION MEDIA

Download URL of Oracle Unified Directory:

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html

image001

Download URL of Application Development Framework (ADF): Oracle Application Development Framework 11g Release 1 (11.1.1.9.0)
http://www.oracle.com/technetwork/developer-tools/adf/downloads/index.html

image002

2.    PREPARE ENVIRONMENT FOR INSTALLATION

You must provide Oracle Unified Directory with information about the location of the Java installation that should be used by setting the JAVA_HOME environment variable. The setup will not work if the JAVA_HOME environment variable is not set, or does not point to the root of a valid (at least Java 1.7) installation.

2.1    Configuring Kernel Parameters

Using any text editor, create or edit the /etc/sysctl.conf file, and add following lines.

fs.aio-max-nr = 1048576
fs.file-max = 6815744
#kernel.shmall = 2097152
#kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048586

2.2    Software Requirements Check for OUD, IAM Suit, SOA

Operating system certification

Oracle-7,redhat-7,redhat-6,oracle-6,oracle-5.6,enterprise-5.4,enterprise-4,enterprise-5,redhat-5.4,redhat-4,redhat-5,SuSE-10,SuSE-11

Recommended operating system packages

binutils-2.20.51.0.2-5.11.el6-x86_64
compat-libcap1-1.10-1-x86_64
compat-libstdc++-33-3.2.3-69.el6-x86_64
compat-libstdc++-33-3.2.3-69.el6-i686
libgcc-4.4.4-13.el6-i686
libgcc-4.4.4-13.el6-x86_64
libstdc++-4.4.4-13.el6-x86_64
libstdc++-4.4.4-13.el6-i686
libstdc++-devel-4.4.4-13.el6-x86_64
sysstat-9.0.4-11.el6-x86_64
gcc-4.4.4-13.el6-x86_64
gcc-c++-4.4.4-13.el6-x86_64
glibc-2.12-1.7.el6-i686
glibc-2.12-1.7.el6-x86_64
glibc-devel-2.12-1.7.el6-x86_64
glibc-devel-2.12-1.7.el6
libaio-0.3.107-10.el6-x86_64
libaio-devel-0.3.107-10.el6-x86_64

2.3    Create new groups and Oracle User

Create User in Linux Box

echo "Adding group/user for oracle"
groupadd -g 601 oracle
groupadd -g 602 oinstall
useradd -c "Middleware Software Owner " -d /oracle -g 601 -m -s /bin/bash -u 601 oracle

To change password use the following command
passwd oracle

If the oracle user exists usermod -g oinstall -G dba,oper oracle

2.4    Creating Required Directories and Change the Owner Ship

Enter the following command to display information about all mounted file

# df -h
# mkdir -p /mount_point/app/
# chown -R oracle:oinstall /mount_point/app/
# chmod -R 775 /mount_point/app/

For example:
mkdir -p /oracle/Middleware/
chown -R oracle:oinstall /oracle/Middleware/
chmod -R 775 /oracle/Middleware/

2.5    Environment Settings for OUD

#Host
export ORACLE_HOSTNAME=iamr2ps3.tigeritbd.com

#WebLogic
export APP_SERVER=weblogic
export MW_HOME=/oracle/Middleware
export WL_HOME=$MW_HOME/wlserver_10.3
export WLS_HOME=$WL_HOME/server
export ANT_HOME=$MW_HOME/modules/org.apache.ant_1.7.1
export DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMAccessDomain

#Java
export JAVA_VENDOR=ORACLE-JDK
export JAVA_HOME=/usr/java/jdk1.7.0_79

#Oracle Unified Directory instance 
export INSTANCE_NAME=oud-instance1
export OUD_HOME=$MW_HOME/oud_home
export OUD_ORACLE_HOME=$MW_HOME/oud_home
export OUD_INSTANCE=$MW_HOME/oud-instance1/OUD/

#PATH for JDK and JRE
export PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH

3.    START INSTALLATION PROCESS

3.1    Install of JDK7

Make sure that execute permissions are set
Run this command as a root user: rpm -ivh jdk-7u79-linux-x64.rpm
image003

Checking Java version using java –version and which java is using.

image004

3.2    Install WebLogic Server 11g R1

You must install Oracle WebLogic Server as the same user who installed Oracle Unified Directory.

#java -jar wls1036_generic.jar
 Extracting 0%...........................................100%

Welcome
image005

Choose Middleware Home Directoty: In our case we are using /oracle/Middlarare
image006

Register for Security Updates: Click on check box and yes, then clink next.
image007

Register for Security Updates: Click on Check box and then Continue

image008

Choose Install Type: Choose Typical

image009

JDK Selection: If environment settings and installation of JDK is ok then local JDK selected automatically. If you have multiple JDK then select which JDK you want to use for Weblogic.

image010

Choose Product Installation Directories:

image011

Installation Summery:

image012

Installation Progress:

image013

Installation Complete: Uncheck Run Quickstart

image014

3.3    Install Oracle Unified Directory 11g (11.1.2.3.0)

Start the Oracle Universal Installer by running the runInstaller script from Disk1, specifying the location of a valid Java installation, before that unzip the ofm_oud_generic_11.1.2.3.0_disk1_1of1.zip

$./runInstaller -jreloc $JAVA_HOME

Welcome screen:
image015

Install Software Updates:  Select Skip Software Updates and Click Next.

image016

Prerequisites Check:  Monitor the prerequisites checking. If there is an issue, an error or warning message is displayed. Investigate the issue and resolve it. After resolving the issue, click Retry to restart the prerequisite checks.

image017

Specify Installation Location:
OUD Base Location Home:  This directory will house any Oracle Unified Directory instances that are configured at a later stage.
Oracle Home Directory: The Installer uses the name you enter in this field to create the Oracle Home directory under the location you enter in the OUD Base Location field. The Installer installs the files (such as binaries and libraries) required to host Oracle Unified Directory in the Oracle Home directory. The Oracle Home directory is commonly referred to as ORACLE_HOME.
image018

Installation Summary : Click Save to save the installation response file, which contains your responses to the Installer prompts and fields. You can use this response file to perform silent installations. Click Install. The Installation Progress screen is displayed.

image019

Note – The installation response file is not saved by default-you must click Save to retain it.

Installation Progress:
image020

Installation Complete:

image021

3.4    Installing Oracle ADF for Oracle WebLogic Server

Oracle Directory Services Manager is a J2EE application that runs inside an Oracle WebLogic Server container and relies on certain libraries that are not installed with the Oracle Unified Directory software. These libraries are provided in the Oracle Application Development Framework. If you plan to manage Oracle Unified Directory with ODSM, you must therefore install the Oracle Application Development Framework.

Welcome screen:
image022

Install Software Updates:

image023

Prerequsite Check:

image024

Installation Location:

image025

Application Server:

image026

Installation Summary:

image027

Installation Progress:

image028

Installation Complete:

image029

4.    SETTING UP THE DIRECTORY SERVER BY USING GUI INTERFACE

Set Up the Directory Server Using the GUI
1.    Ensure that your JAVA_HOME environment variable is set to a supported JVM installation (at least Java 1.7).
2.    Run the oud-setup command from /oracle/Middleware/oud_home to configure the directory server installation.
3.    The default instance directory name is asinst_1, with subsequent instances on the same server named asinst_2, asinst_3, and so on. To specify a different instance name, set the INSTANCE_NAME environment variable before you run the setup, for example:
export INSTANCE_NAME=oud-instance1
4.    On the Welcome panel, click Next. Go to $OUD_HOME then run following command.
$sh oud-setup
image030

Welcome:

image031

Server Settings: On the Server Settings panel, enter the following information: Click on Configure button for LDAP Secure Access, also provide password for Directory Manager Account.

image032

Security Operations: Select Enable SSL and Enable StartTLS for LDAP.

image033

Topology Options: Select this will be a stand-alone server. Click Next to Continue.

image034

Directory Data Directory Base DN. Enter the base DN for your directory. The default Base DN is dc=example,dc=com.

image035

Oracle Component Integration: Select No specific integration then click next

image036

Server Tuning:

image037

Review:  Select Start Server when Configuration has completed to start the server after the directory server has been configured. On Windows systems, select Start Server as a Windows service, if desired

image038

Progress:

image039

Finished: 

image040

Click Close.

Test whether the directory server has been set up and started successfully by searching an entry in the directory. For example:
Go to instance-dir/oud/bin/ then run following command.

cd $OUD_INSTANCE/bin
$ ldapsearch -h localhost -p 1389 \
-D "cn=directory manager" -w Tigerit1 -b "dc=oud,dc=tigeritbd,dc=com" "(objectclass=*)"

image041

5.    START STOP ORACLE UNIFIED DIRECTORY

•    To start run script form $OUD_INSTANCE/bin/start-ds
•    To stop run script form $OUD_INSTANCE/bin/stop-ds

Oracle Documentation: http://docs.oracle.com/cd/E52734_01/oud/index.html

Aug 16 15

OIM R2 PS3

Tamim Khan

Oracle Identity Manager R2 PS3 Installation and Configuration

Jun 21 15

home

Tamim Khan

This site is an attempt to document our journey of learning the Identity and Access Management Suite, Oracle Service Bus and some other Oracle Fusion Middleware product from Oracle Corporation.
As part of our journey, we have to re-explore the product with a mindset of a newbie and try to understand what goes towards leveraging the product to build a viable Oracle Fusion Middleware product solution. The focus of this site is primarily going to be on Implementation, development installation and Configuration.

IAM System Architecture