Dec 27 15

Installing and Configuring Oracle Access Manager R2 (11.1.2.3.0) PS3

Tamim Khan

1. INTRODUCTION

In this document describe the step by step installation Oracle Access Manager11g R2 PS2. Assuming all the environment settings has been configuring properly according to the oracle best practice. Also assuming that OUD is already install in configure according to the previous document.

Make sure that the below db parameters are updated with the values given below

 AL32UTF8 (Unicode) as the database character set.
 SHARED_POOL_SIZE is greater than or equal to 147456KB.
 SGA_MAX_SIZE is greater than or equal to 147456KB.
 DB_BLOCK_SIZE is greater than or equal to 8KB
 OPEN_CURSOR = 800
 PROCESSES=500

2. DOWNLOAD INSTALLATION MEDIA

Download URL of Oracle Identity and Access Management 11g R2 PS3 and Oracle Fusion Middleware Repository Creation Utility 11g (11.1.1.9.0):
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html

image001

Operating system certification

Oracle-7,redhat-7,redhat-6,oracle-6,oracle-5.6,enterprise-5.4,enterprise-4,enterprise-5,redhat-5.4,redhat-4,redhat-5,SuSE-10,SuSE-11

Recommended operating system packages

binutils-2.20.51.0.2-5.11.el6-x86_64
compat-libcap1-1.10-1-x86_64
compat-libstdc++-33-3.2.3-69.el6-x86_64
compat-libstdc++-33-3.2.3-69.el6-i686
libgcc-4.4.4-13.el6-i686
libgcc-4.4.4-13.el6-x86_64
libstdc++-4.4.4-13.el6-x86_64
libstdc++-4.4.4-13.el6-i686
libstdc++-devel-4.4.4-13.el6-x86_64
sysstat-9.0.4-11.el6-x86_64
gcc-4.4.4-13.el6-x86_64
gcc-c++-4.4.4-13.el6-x86_64
glibc-2.12-1.7.el6-i686
glibc-2.12-1.7.el6-x86_64
glibc-devel-2.12-1.7.el6-x86_64
glibc-devel-2.12-1.7.el6
libaio-0.3.107-10.el6-x86_64
libaio-devel-0.3.107-10.el6-x86_64

Package Installed Check

xorg-x11-apps 
xterm 
openmotif 
sopenmotif22

3. SET ENVIRONMENT VARIABLE FOR ORACLE USER

#WebLogic
export APP_SERVER=weblogic
export MW_HOME=/oracle/Middleware
export WL_HOME=$MW_HOME/wlserver_10.3
export WLS_HOME=$WL_HOME/server
export ANT_HOME=$MW_HOME/modules/org.apache.ant_1.7.1
export DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMAccessDomain
export OAM_DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMAccessDomain

#ORACLE IAM
export IAM_ORACLE_HOME=$MW_HOME/iam_home
export IAM_HOME=$IAM_ORACLE_HOME
export XL_HOME=$OIM_ORACLE_HOME/server
export DC_HOME=$OIM_ORACLE_HOME/designconsole
export RM_HOME=$OIM_ORACLE_HOME/remote_manager

#ORACLE COMMON HOME
export COMMON_ORACLE_HOME=$MW_HOME/oracle_common/common

#Java
export JAVA_VENDOR=ORACLE-JDK
export JAVA_HOME=/usr/java/jdk1.7.0_79

4. INSTALL A CERTIFIED JDK

1.    Make sure that execute permissions are set
2.    Run this command as a root user: rpm -ivh jdk-7u79-linux-x64.rpm
3.    Checking Java version using java –version and which java is using.

5. MODIFY DATABASE SYSTEM PARAMETER

sqlplus / as sysdba
alter system set processes=500 scope=spfile;
alter system set open_cursors=800 scope=spfile;
alter system set session_cached_cursors=500 scope=spfile;
alter system set session_max_open_files=50 scope=spfile;
alter system set aq_tm_processes=1 scope=spfile;
alter system set job_queue_processes=10 scope=spfile;
shutdown immediate;
startup;

6. CREATING DATABASE SCHEMA USING THE RCU

To create database schemas for Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) components, you must use the11g Release 2 (11.1.2.3.0) version of the Oracle Fusion Middleware Repository Creation Utility.
Run RCU in Database machine.

unzip ofm_rcu_linux_11.1.1.9.0_64_disk1_1of1.zip
Run “sh rcu” from rcuHome/bin

Welcome:
image002

Create Repository: Select Create and Click next.

image003

Database Connection Details: Provide Database connection information as shown below.

image004

Repository Creation Utility – Checking Prerequisites: If you are not using Oracle Database Enterprise edition then you have to ignore a warning message.

image005

Select Components:
In our Environment we are using prefix “OAM”, following component need to be select for OAM.
1.    Oracle AS Repository Components
a.    AS Common Services
i.    Metadata Services
ii.    Audit Services
iii.    Oracle Platform Security Service
2.    Identity Management
a.    Oracle Access Manager
b.    Oracle Mobile Security Manager

N.B: Select Oracle Access Management, All required components will select automatically. If you need Oracle Adaptive Access Manager then select that component also.

image006

Repository Creation Utility – Checking Prerequisites:

image007

Schema Passwords: In our case we are using one password for all schemas.

image008

Map Tablespaces:

image009

Repository Creation Utility – Confirmation

image010

Repository Creation Utility – Creating Tablespaces

image011

Summary

image012

Completion Summary

image013

Alter Default profile Password life time unlimited.

SELECT USERNAME, PROFILE FROM DBA_USERS Where USERNAME Like 'OAM%'; 
SELECT resource_name, limit 
FROM dba_profiles 
where profile='DEFAULT'
  and resource_type='PASSWORD'; 
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

7. INSTALL WEBLOGIC SERVER

Assuming Weblogic Server is installing in /oracle/Middleware during the time of OUD installation, if not then follow the steps from previous article Installing and Configuring Oracle Unified Directory 11g.

8. INSTALL ORACLE IDENTITY AND ACCESS MANAGER 11G R2 PS3


Unzip Packege: 
ofm_iam_generic_11.1.2.3.0_disk1_1of3.zip
ofm_iam_generic_11.1.2.3.0_disk1_2of3.zip
ofm_iam_generic_11.1.2.3.0_disk1_3of3.zip
$ ./runInstaller -jreloc $JAVA_HOME
 Starting Oracle Universal Installer...
 Checking if CPU speed is above 300 MHz.    Actual 2394 MHz    Passed
 Checking Temp space: must be greater than 150 MB.   Actual 70200 MB    Passed
 Checking swap space: must be greater than 512 MB.   Actual 15404 MB    Passed
 Checking monitor: must be configured to display at least 256 colors.    Actual 16777216    Passed

Welcome:

image014

Install Software Updates:

image015

Prerequisite Checks:

image016

Specify Installation Location:

image017

Installation Summary:

image018

Installation Progress:

image019

Installation Complete:

image020

9. CREATE AN OAM DOMAIN

Run the configuration wizard from the following location:

$MW_HOME/oracle_common/common/bin/config.sh

Welcome: Select “Create a New Weblogic domain” and click Next.

image021

Select Domain Source: Select “Oracle Access Management and Mobile Security Suite” rest of the required component will select automatically. Required component are Oracle Platform Security Service and Oracle JRF.

image022

Specify Domain Name and Location: In Our case we are using IAMAccessDomain as a domain name.

image023

Configure Administrator User Name and Password: Provide Administrative User Name OAMAdmin and password.

image024

Configure Server Start Mode and JDK:

image025

Configure JDBC Component Schema: Provide DB Host name, SID and TNS Port, do not forget to change schema prefix according to RCU.

image026

Test JDBC Component Schema: Make sure all the test is status is successful.

image027

Select Optional Configuration: Select Administration Server to change the admin server port

image028

Configure the Administration Server: Port: 7001 non ssl and 7002 ssl

image029

Configure Managed Servers:

image030

Configure Clusters: Accept the default if you not configuring it in cluster environment.  image031

Configure Machine: Accept the default if you not configuring it in cluster environment.

image032

Configuration Summary: Click on Create Button to start the domain creation process.

image033

Creating Domain: After Successful domain Creation, click on done button to exit from weblogic domain creation utility.

image034

Configuring Database Security Store for an IAM Domain
Ensure the MW_HOME and IAM_HOME environment variable are set as bellow.

export MW_HOME=/oracle/Middleware
export IAM_HOME=/oracle/Middleware/iam_home
After that we call the configureSecurityStore.py script passing the following parameters:
-d domaindir: Location of the directory containing the domain.
-c configmode: The configuration mode of the domain. When configuring Database Security Store this value must be specified as IAM.
-p password: The OPSS schema password.
-m mode: create- Use create if you want to create a new database security store.

The full command will look like this:
$MW_HOME/oracle_common/common/bin/wlst.sh \
$IAM_HOME/common/tools/configureSecurityStore.py \
-d $MW_HOME/user_projects/domains/IAMAccessDomain -c IAM -p <password> -m create

After successful execution Info:  Create operation has completed successfully, is shown.

image035

Validate Database Security Store  
$MW_HOME/oracle_common/common/bin/wlst.sh \
$IAM_HOME/common/tools/configureSecurityStore.py -d \
$MW_HOME/user_projects/domains/IAMAccessDomain -m validate

image036

10. START WEBLOGIC ADMIN SERVER AND OAM MANAGE SERVERS

Start Weblogic Admin Server

$OAM_DOMAIN_HOME/bin/startWebLogic.sh

Before start OAM Server copy boot.properties file in oam server security directory to Manage (start stop service) password less.

$ cd $OAM_DOMAIN_HOME/servers
$ mkdir -p oam_server1/security
$ cp AdminServer/security/boot.properties oam_server1/security

Start OAM Server

$OAM_DOMAIN_HOME/bin/startManagedWebLogic.sh oam_server1

VERIFY WEBLOGIC AND OAM WEB CONSOLE
Weblogic Admin Console
URL: https://<hostname>:7002/console

image037

image038

Oracle Access Manager Web Single Sign on page
http://<hostname>:7001/oamconsole/faces/login.jspx
Make sure Host name resolve by DNS.

image039

Oracle Access Manager Admin Console Login Page.
URL: http://hostname:7003/oamconsole
This Page will show in following two cases
1. when Access Manager Manage Server are separated from Admin Server (i.e.: Two Physical machines are  used) or
2. In case of same server (i.e.: Admin Server and Manage Server are configured in same machine) then oam manage server are down

image040

Oracle Access Manager Home Page

image041

11. CONFIGURE OUD FOR OAM AND OIM

Note: In the next article we are going to configure OIM Domian. We can Use LDAP Sync between OIM and OUD

Reference URL: https://docs.oracle.com/cd/E52734_01/oim/IDMIG/app_oid_oim.htm#IDMIG31790
LDAP Identity store (Oracle Unified Directory (OUD) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

1.Create a file (OUDContainers.ldif) which contain following information.

dn:cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:oracleAccounts
 objectClass:top
 objectClass:orclContainer
dn:cn=Users,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:Users
 objectClass:top
 objectClass:orclContainer
dn:cn=Groups,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:Groups
 objectClass:top
 objectClass:orclContainer
dn:cn=Reserve,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
 changetype: add
 cn:Reserve
 objectClass:top
 objectClass:orclContainer

2. Import the containers into Oracle Unified Directory Server with ldapmodify command. This will create the user, group and reserve containers. Copy the script file (OUDContainers.ldif) in /home/oracle/oud_script/
Make sure OUD in running in OIM machine.
To create account in OUD run the following command:

$ cd $OUD_INSTANCE/bin
$ ./ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w <OUD Password> -c -v -f /home/oracle/oud_script/OUDContainers.ldif

Or you can import using Oracle Directory Services Manager as bellow:
image042

Select the OUDContainers.ldif file.

image043

image044

3. Configure OIM proxy users and aci to communicate with OUD after installing OUD. Create the Admin User, Group and the ACIs.
Create a file OIMAdmin.ldif in /home/oracle/oud_script which contains following entry:

dn: cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids

dn: cn=OIMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: OIMAdmin
givenname: OIMAdmin
sn: OIMAdmin
cn: OIMAdmin
uid: OIMAdmin
userPassword: <Provide your OIM Admin Passowrd>

dn: cn=AdminGroup,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: top
cn: AdminGroup
description: OIM administrator role
uniquemember: cn=OIMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com

dn: cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com")(targetattr =
 "*")(version 3.0; acl "Allow AdminGroup add, read and write access to
 all attributes"; allow (add, read, search, compare, write, delete, import, export)
 (groupdn = "ldap:///cn=AdminGroup,cn=systemids,dc=oud,dc=tigeritbd,dc=com");)

dn: cn=OIMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

To ensure OIM Admin User is create successfully, login to Directory Service Manager and search OIMAdmin.

You can also use ODSM for this import operation.

image045

4. Similarly import OAM Proxy users to communicate with OUD after installing OUD. Create the Admin User, Group and the ACIs.

dn: cn=OAMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: OAMAdmin
givenname: OAMAdmin
sn: OAMAdmin
cn: OAMAdmin
uid: OAMAdmin
userPassword: <Provide your passord>

dn: cn=AdminGroup,cn=systemids, dc=oud,dc=tigeritbd,dc=com 
changetype: modify
add: uniquemember
uniquemember: cn=OAMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com

image046

Verification
Verify using ldapsearch command:

$ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <OUD Password> -b "dc=oud,dc=tigeritbd,dc=com" "(objectclass=*)"

image047

Verify using Directory Service manager: http://<hostname>:7001/odsm

image048

5.    Enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server. Create a password file (/home/oracle/oud_script/passwd.txt.) and write OUD Password in this text file.

cd /home/oracle/oud_script
 echo ‘MyPassword’ > passwd.txt
 cd $OUD_INSTANCE/bin
 ./dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j /home/oracle/oud_script/passwd.txt -X -n set-password-policy-prop --policy-name 'Default Password Policy' --set lockout-failure-count:3

12. PREREQUISITES FOR ENABLING LDAP SYNCHRONIZATION

After installation of IAM run the following script to prepare OUD environment for LDAP Synchronization

cd $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/
$OUD_INSTANCE/bin/ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w "<OUD Password>" -f ojd_user_schema_add.ldif

image050

$OUD_INSTANCE/bin/ldapmodify -h localhost -p 4444 -D "cn=Directory Manager" -w "<OUD Password>" -Z -X -a -f ojd_user_index_generic.ldif

image051

$OUD_INSTANCE/bin/ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w "<OUD Password>" -f ojd_oam_pwd_schema_add.ldif

Rebuild the index Online

$OUD_INSTANCE/bin/rebuild-index -h localhost -p 4444 -D "cn=Directory Manager" -j /home/oracle/oud_script/passwd.txt -X --baseDN dc=oud,dc=tigerit,dc=com \
 --index obgroupadministrator \
 --index obid \
 --index oblocationdn \
 --index oblocationname \
 --index oblocationtitle \
 --index obrectangle \
 --index obdirectreports \
 --index obindirectmanager \
 --index obuseraccountcontrol \
 --index obparentlocationdn \
 --index obgroupcreator \
 --index obgroupsubscriptiontype \
 --index obgroupdynamicfilter \
 --index obgroupexpandeddynamic \
 --index obgroupsubscriptionfilter \
 --index obgroupsubscribemessage \
 --index obgroupunsubscribemessage \
 --index obgroupsubscribenotification \
 --index obgrouppuredynamic

image053

Finally when index rebuild is successful then it will display “Rebuild Index Task <Task Number> has been successfully completed”
Creating the Global ACI for OUD

cd $OUD_INSTANCE/bin
 ./dsconfig set-access-control-handler-prop \
 --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; allow(read,search,compare,add,write,delete,export) groupdn=\"ldap:///cn=AdminGroup,cn=groups,dc=oud,dc=tigeritbd,dc=com\";)" \
 --hostname localhost \
 --port 4444 \
 --trustAll \
 --bindDN cn="Directory Manager" \
 --bindPasswordFile /home/oracle/oud_script/passwd.txt \
 --no-prompt

image054

Verification of Global ACI:

./dsconfig -h localhost -p 4444 -D cn="Directory Manager" -j /home/oracle/oud_script/passwd.txt  -n \
  get-access-control-handler-prop \
  --trustAll \
  --property global-aci

Restart the OUD service using stop-ds and start-ds

12. USER IDENTITY STORE REGISTRATION WITH ORACLE UNIFIED DIRECTORY

Create a User Identity Store
1.    Go to Configuration-> User Identity Store
image055

2.    Click on “+Create” to create a User Identify Store image056

Store Name             : OUDIdentityStore
Store Type             : OUD: Oracle Unified Directory
Location               : <hostname>:1389
Bind DN                : cn=OAMAdmin,cn=systemids,dc=oud,dc=tigeritbd,dc=com
Password               : Provide OAMAdmin User password
Login ID Attribute     : uid
User Password Attribute: userPassword
User Search Base       : cn=Users,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com
User Filter Object Classes    : inetOrgPerson
Group Search Base      : cn=Groups,cn=oracleAccounts,dc=oud,dc=tigeritbd,dc=com

image057
Click on Apply.

14. OAM POLICY MANAGER MANAGED SERVER

Start OAM Policy Manager
Before start OAM Server copy boot.properties file in oam server security directory to Manage (start stop service) password less.

$ cd $OAM_DOMAIN_HOME/servers
$ mkdir -p oam_policy_mgr1/security
$ cp AdminServer/security/boot.properties oam_policy_mgr1/security

Start OAM Policy Manager

$ OAM_DOMAIN_HOME/bin/startManagedWebLogic.sh oam_policy_mgr1

URL:  http://<hostname>:14150/access