OAM Server



Please ensure that you have followed the steps defined in Before you begin page prior to starting the product installation.

Downloads

Component Location

Oracle Identity and Access Management 11g(11.1.2.2.0)


http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html
Oracle Fusion Middleware Repository Creation Utility 11g(11.1.2.2.0)

Please use the Oracle Certification matrix before deciding upon the appropriate product version. The appropriate certification matrix are available at 
  1. System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) ( xls)
  2. System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) ( xls)
  3. System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) ( xls)
All the Fusion Middleware Certification matrix are maintained at http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html 

In case you have a valid Oracle Support in place, you should download the products from the edelivery (https://edelivery.oracle.com) website

IAM Product Suite Installation

  1. Unzip the installer and run the installer 

    su - oimuser
    cd downloads
    mkdir oim
    cd oim
    unzip ../p14383363_111200_Generic_1of2.zip
    unzip ../p14383363_111200_Generic_2of2.zip  
    cd Disk1
    ./runInstaller -jreLoc /opt/java -invPtrLoc /opt/fmw/inventory/oraInst.loc


  2. Install with following configuration 

    Name Value
    Inventory /opt/fmw/inventory
    Operating System Group Name oimgroup
    Continue installing with local inventory checked
    Skip Software Update checked
    Oracle Middleware Home /opt/fmw/Middleware
    Oracle Home Directory Oracle_IDM1


  3. Summary Information:
    Location:
    Middleware Home Location: /opt/fmw/Middleware
    Oracle Home Location: /opt/fmw/Middleware/Oracle_IDM1
    Disk Space:
    Required: 1300 MB
    Available: 11476 MB
    Free After Install: 10176 MB

  4. Applications Installed 
    1. Oracle Identity Manager Server
    2. Oracle Identity Manager Design Console
    3. Oracle Identity Manager Remote Manager
    4. Oracle Access Manager
    5. Oracle Identity Navigator
    6. Oracle Adaptive Access Manager
    7. Oracle Access Management Mobile and Social
    8. Oracle Privileged Account Manager
    9. Oracle Entitlement Server

Configuration

RCU

  1. Before you start ensure that the database is started. It can be started using 

    su oracle
    export ORACLE_HOME=/opt/oracle/db/product/11.2.0/dbhome_1
    $ORACLE_HOME/bin/dbstart $ORACLE_HOME


    Ensure that /etc/oratab file has the entry with Y in the end to automatically start database using dbstart.


    OIMDB:/opt/oracle/db/product/11.2.0/dbhome_1:Y


  2. Unzip the installer and start the RCU 

    su - oimuser
    cd downloads
    unzip p14383346_111200_LINUX.zip
    cd rcuHome/bin
    ./rcu 


  3. Configure the following 

    Name Value
    Create Repository Create
    Database Connection Details
    Database Type Oracle
    Host Name oam11gr2.aps.dev
    Port 1521
    Service Name OIMDB
    User Name SYS
    Select Components
    Oracle Access Manager Checked
    Create a new Prefix OAM11GR2
    Schema Password
    Use Same password for all schemas
    OAM Schema Tablespace Mapping
    Select default values


    Think about creating a separate Tablespace, User for RDBMS Security Store database.

     

Weblogic Domain Configuration

  1. Start Weblogic Domain configuration wizard 

    su - oimuser
    mkdir /opt/fmw/domains
    cd /opt/fmw/Middleware/Oracle_IDM1/common/bin/
    ./config.sh  


  2. Create a new Weblogic Domain with following configuration 

    Name Value
    Create a New Weblogic Domain checked
    Generate a domain configured automatically to support the following products Oracle Access Manager - 11.1.2.0.0 [Oracle_IDM1] This selects - OPSS - 11.1.1.0 [Oracle_IDM1] - Oracle JRF - 11.1.1.0 [oracle_common] Oracle Enterprise Manager - Select this explicitly.
    Domain Name oam
    Domain Location
    /opt/fmw/domains/domain
    Application Location /opt/fmw/domains/apps
    Administrator User Name weblogic
    User Password <your password>
    Weblogic Domain Startup Mode Production Mode
    JDK Selection Other JDK (/opt/java)
    Configure JDBC Component Schema See Below for details
    Configure the various aspect of Optional Configurations See Below for details


    JDK Selection changed to point to /opt/java instead of /opt/java1.6.0_30

    1. JDBC Component Schema

      Name Value
      Vendor Oracle
      Driver Oracle's Driver (Thin) for Service connections; Version 9.0.1
      DBMS/Service OIMDB
      Host oam11gr2.aps.dev
      Port 1521
      Schema Password <your password>



      Unselect Configure selected component as RAC multi datasource schemas as in next panel 

      Component Schema Schema Owner
      OAM Infrastructure OAM11GR2_OIM
      OPSS Schema OAM11GR2_OPSS


    2. Admistration Server

      Name Value
      Name AdminServer
      Listen Address All Local Address
      Listen Port 7001
      SSL Enabled checked
      SSL Listen Port 7002


    3. Configure Managed Server

      Name Listen address Listen port SSL Listen Port SSL Enable
      oam_server1 All local address 14100  14101 unchecked


    4. Configure Cluster 

      Name Value
      Name
      Cluster Messaging mode
      Multicast address
      Multicast Port
      Cluster address


    5. Configure Machine 

      Name Node Manager Listen Address Listen Port Post Bind GID (Unix) Post Bind UID (Unix)
      oam11gr2 All Local Addresses 5556












    6. Assign Server to Machines 

      Server Machine
      oam_server1 oim11gr2
      AdminServer



    7. Target Deployment/Services - Default assignment 
    8. JMS File Store - Default assignment (Directory name same as JMS) - See above for the JMS configured.
    9. RDBMS Security Store Database  - Leave it disabled.

    10. The configuration of domain starts and completes after the summary screen.
  3. The domain is installed and configured at 

    Domain Location /opt/fmw/domains/oam
    Admin Server http://oam11gr2.aps.dev:7001


  4. In OAM 11g R2 PS2, an additional step to upgrade the OPSS database schema has been added

    /opt/fmw/oracle_common/common/bin/psa.sh


    Name Value
    Select Component

    In the Select Component screen, you must select only the Oracle Platform Security Services schema.

    NOTE: Do not select any other components that are listed on the Select Component screen.

    Schema The Schema name would typically be prefix_OPSS (i.e. OAM_OPSS)


  5. Migrate the local weblogic security repository to the OPSS database 

    /opt/fmw/Middleware/oracle_common/common/bin/wlst.sh /opt/fmw/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /opt/fmw/domains/oim -m create -c IAM -p $ORACLE_DATABASE_PASS 
    /opt/fmw/Middleware/oracle_common/common/bin/wlst.sh /opt/fmw/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /opt/fmw/domains/oim -m validate


  6. Start the Weblogic Admin server 

    su - oamuser
    # One time configuration
    cd /opt/fmw/Middleware/oracle_common/common/bin
    ./setNMProps.sh
    # This creates file /opt/fmw/Middleware/wlserver_10.3/common/nodemanager/nodemanager.properties with scriptEnabled=true (Needed to start managed server using nm)
    exit
    su - oamuser
    cd /opt/fmw/temp 
    nohup /opt/fmw/Middleware/wlserver_10.3/server/bin/startNodeManager.sh &
    nohup /opt/fmw/domains/oam/bin/startWebLogic.sh -Dweblogic.management.username=weblogic -Dweblogic.management.password=<password> -Dweblogic.system.StoreBootIdentity=true & tail -f nohup.out
    
    # After admin server has started the first time, copy the boot.properties file to other servers
    cd /opt/fmw/domains/oam/servers
    mkdir -p oam_server1/security
    cp AdminServer/security/boot.properties oam_server1/security/
    


Verification

Before you start ensure that you have enough memory to start various components

  1. Start all the servers.
  2. Check the accessibility of the following URLs
    Both the URLs are protected and are accessible using weblogic user/password used to create weblogic domain earlier.
    1. http://oam11gr2.aps.dev:7001/console
    2. http://oim11gr2.aps.dev:7001/oamconsole

Post configuration steps

Integration with Web server

In case of OAM you can perform the following configuration to ensure that all the OAM traffic passes through Web server installed and configured.
  1. Configure the Access Manager Server setting so that the weblogic server does a proper redirection when user access the OAM Console from outside the box.
    1. Login to http://oam11gr2.aps.dev/oamconsole using weblogic userid
    2. System Configuration → Access Manager (Left Column) → Access Manager Settings
      Launch Pad  → Access Manager Settings (OIM 11gR2 PS2)
    3. Setup Configuration as follows


      This configuration is also present in $DOMAIN_HOME/config/fmwconfig/oam-config.xml 

      <Setting Name="OAMServerProfile" Type="htf:map">
       <Setting Name="OAMSERVER" Type="htf:map">
        <Setting Name="serverhost" Type="xsd:string">192.168.56.11</Setting>
        <Setting Name="serverport" Type="xsd:string">80</Setting>
        <Setting Name="serverprotocol" Type="xsd:string">http</Setting>
       </Setting>          


      Note
      Please note that if you want to directly change the value in oam-config.xml file, then you should shutdown all the weblogic server, edit the file, increase the Version number in the file by one and then restart the server for the new change to take effect.
    4. Also, if needed, the host and port details can be updated in following locations to ensure that system can be accessed from outside the OAM server environment (through Web server).
      1. Federation Settings → General → Provider ID
      2. OpenID realm 

        <Setting Name="spglobal" Type="htf:map">
         <Setting Name="commondomainurl" Type="xsd:string">http://hostname:port/oamfed/sp/introsso</Setting>
         <Setting Name="continuediscoverypath" Type="xsd:string">/discsso</Setting>
         <Setting Name="defaultssoidp" Type="xsd:string"></Setting>
         <Setting Name="idpdiscoveryserviceurl" Type="xsd:string">/oamfed/discovery.jsp</Setting>
         <Setting Name="openid20realm" Type="xsd:string">http://oim11gr2.aps.dev:14100</Setting>


      3. Logout URL for IAMSuite Agent (SSO Agents → IAMSuiteAgent) and (SSO Agents → accessgate-oic)

Enabling services

Once the OAM server has been installed and configured, we need to enable other services besides OAM before we can use them. This includes
  1. Identity Federation
  2. Security Token Services
  3. Mobile and Social
  4. Access Portal Service
In order to enable these services, you need to 
  1. Login to OAM Administrator Server (/oamconsole) using weblogic (or appropriate administrator user id)
  2. Go to Common Configuration → Available Services
  3. Enable the services that you have licenses for. Please perform the additional steps to enable Access Portal Service.

Configure Common Settings, including Session-timing


The common settings cover the following items and these can be configured based on the specific requirements
  1. Session Management - The actual details about the settings are available on Session Management page.

  2. Coherence Settings - This is typically not changed without input from Oracle support. There are specific scenarios where the system may have issues if two servers that are part of different weblogic domain (or OAM infrastructure in particular) have the same cluster address/port combinations. This typically happens in case of VM copies being used to create new environments. In case the coherence port has been changed, the OAM server must be restarted to ensure the new settings take effect.

  3. Audit Settings - Configure the out of box audit that is performed by OAM server. More details are available in Audit Details page.

  4. System Stores - Even though the default and system store show up on the common settings screen they can be changed in the User Identity Store (in the Configuration System)

Configure Certificate Validation

The Security Token Services can validate the revocation status of certificate that is part of the transaction against either the specific list or using OCSP URL. In addition to that the system also supports, if enabled, capability to use the embedded CDP to check the revocation status of certificate.
    
 
Additional features like HTTP Proxy to connect OCSP, supported for multiple OCSP URLs are identified  at http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/common.htm#CACHFJDF.

Register Data sources

Even though there are multiple type of data sources that form part of the OAM, the session, audit (see above) and User Identity stores are typically reviewed and updated as part of installation process.

User Identity Store

A new data source for user identity should be setup to build a more scalable solution since embedded LDAP performs best with fewer than 10,000 users and may not provide a highly available and disaster resistant solution. More details about the store is available in the architecture section.

  1. Ensure that a supported (see certification matrix above for supported directories) directory is installed.
  2. Extend the installed directory server's schema using the idmconfigtool as described. Please note that idmconfigtool supports only OID and OUD as native directories. All the other directories must be proxied through OVD (Oracle Virtual Directory).
    1. Create a file /opt/oam/tmp/idmconfigtool/extendOAMPropertyfile with the details about the environment that needs to be extended.

      IDSTORE_HOST: localhost IDSTORE_PORT: 1389 IDSTORE_BINDDN: cn=Directory Manager
      IDSTORE_USERNAMEATTRIBUTE: cn
      IDSTORE_LOGINATTRIBUTE: uid
      IDSTORE_USERSEARCHBASE: ou=users,ou=enterprise,dc=acme,dc=com
      IDSTORE_GROUPSEARCHBASE: ou=groups,ou=enterprise,dc=acme,dc=com
      IDSTORE_SEARCHBASE: ou=enterprise,dc=acme,dc=com
      IDSTORE_SYSTEMIDBASE: cn=users,ou=oamconsole,ou=apps,dc=acme,dc=com


      IDSTORE_SEARCHBASE should be set to the location in the directory where users and groups are stored. This property is the parent location that contains the USERSEARCHBASE and the GROUPSEARCHBASE.

      IDSTORE_SYSTEMIDBASE is the location of a container in the directory where system operations users should be stored so that they are kept separate from enterprise users stored in the main user container. NOTE: 
      1. The DN of IDSTORE_SYSTEMIDBASE must have cn value set (i.e. the DN should start with cn) otherwise the setup will not complete properly with following error in automation.log file

        WARNING: [LDAP: error code 68 - The entry ou=oamconsole,ou=apps,dc=acme,dc=com cannot be added because an entry with that name already exists] 

      2. The DN of IDSTORE_SYSTEMIDBASE should not exist in the system.
    2. Execute the following script  in the /opt/oam/tmp/idmconfigtool/ directory


      [demo@oiam11gr2ps2 idmconfigtool]$ export MW_HOME=/opt/fmw
      [demo@oiam11gr2ps2 idmconfigtool]$ export JAVA_HOME=/opt/java
      [demo@oiam11gr2ps2 idmconfigtool]$ export ORACLE_HOME=/opt/fmw/Oracle_IDM1/
      [demo@oiam11gr2ps2 idmconfigtool]$ $ORACLE_HOME/idmtools/bin/idmConfigTool.sh -preConfigIDStore input_file=./extendOAMPropertyfile

      Enter ID Store Bind DN password :
      Enter ID Store Bind DN password : Cannot connect to the OUD Admin connector
      Jul 16, 2014 10:03:11 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif
      Jul 16, 2014 10:03:12 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif
      Jul 16, 2014 10:03:12 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//idmtools/templates/oud/add_oraclecontext_container.ldif
      Jul 16, 2014 10:03:12 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//idmtools/templates/oud/idm_idstore_groups_template.ldif
      Jul 16, 2014 10:03:12 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//idmtools/templates/oud/idm_idstore_groups_acl_template.ldif
      Jul 16, 2014 10:03:14 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//idmtools/templates/oud/systemid_pwdpolicy.ldif
      Jul 16, 2014 10:03:14 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
      INFO: -> LOADING: /opt/fmw/Oracle_IDM1//idmtools/templates/oud/fa_pwdpolicy.ldif
      The tool has completed its operation. Details have been logged to automation.log
    3. The details of the automation.log must be as follows
      Jul 16, 2014 10:03:08 AM oracle.idm.automation.util.Util setLogger
      WARNING: Logger initialized in warning mode
      Jul 16, 2014 10:03:11 AM oracle.idm.automation.AutomationTool preConfig
      WARNING: POLICYSTORE_SHARES_IDSTORE not provided. Defaulting to "true"
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler addPasswordSchema
      INFO: Attribute obpasswordexpirydate has been added to the schema
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler addPasswordSchema
      INFO: Objectclass OIMPersonPwdPolicy has been added to the schema
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler addOblixSchema
      INFO: Attribute oblix attributes have been added to the schema
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler addOblixSchema
      INFO: Objectclass oblix indexes have been added to the schema
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler createPwdPolicyContainer
      INFO: OracleContext containers sucessfully created
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler indexAttributes
      INFO: Objectclass oblix indexes have been added to the schema
      Jul 16, 2014 10:03:12 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler createGroupsForIntegration
      INFO: Privilege Groups have been created
      Jul 16, 2014 10:03:14 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler addACIsForOUD
      INFO: Privilege groups ACIs have been created
      Jul 16, 2014 10:03:14 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler createSystemIDContainer
      INFO: System ID Container has been created
      Jul 16, 2014 10:03:14 AM oracle.idm.automation.impl.oud.handlers.OUDIntegrationHandler addFAPwdPolicy
      INFO: FA password policy has been created
      Jul 16, 2014 10:03:14 AM oracle.idm.automation.AutomationTool dumpConfig
      INFO: Configuration details have been dumped to the file idmDomainConfig.param

    4. In case the tool is successful the following entries would have been added to the system.


      I
      n addition to that the script also adds aci (Access Control entry) to the user and group containers.

    5. Create a file /opt/oam/tmp/idmconfigtool/createOAMUsersPropertyfile with the details about the environment that needs to be extended.

      IDSTORE_HOST: localhost
      IDSTORE_PORT: 1389
      IDSTORE_BINDDN: cn=Directory Manager
      IDSTORE_USERNAMEATTRIBUTE: cn
      IDSTORE_LOGINATTRIBUTE: uid
      IDSTORE_USERSEARCHBASE: ou=users,ou=enterprise,dc=acme,dc=com
      IDSTORE_GROUPSEARCHBASE: ou=groups,ou=enterprise,dc=acme,dc=com
      IDSTORE_SEARCHBASE: ou=enterprise,dc=acme,dc=com
      IDSTORE_SYSTEMIDBASE: cn=users,ou=oamconsole,ou=apps,dc=acme,dc=com
      POLICYSTORE_SHARES_IDSTORE: true
      OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
      IDSTORE_OAMSOFTWAREUSER:oamLDAP
      IDSTORE_OAMADMINUSER:oamadmin


    6. Execute the following script to create OAM users

      [demo@oiam11gr2ps2 idmconfigtool]$ ./executeOAMUsers.sh 

      Enter ID Store Bind DN password : 

      *** Creation of Oblix Anonymous User ***

      Jul 16, 2014 10:07:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oam_10g_anonymous_user_template.ldif

      Enter User Password for oblixanonymous: 

      Confirm User Password for oblixanonymous: 

      *** Creation of oamadmin ***

      Jul 16, 2014 10:07:28 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oam_user_template.ldif

      Enter User Password for oamadmin: 

      Confirm User Password for oamadmin: 

      *** Creation of oamLDAP ***

      Jul 16, 2014 10:07:35 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oim_user_template.ldif

      Enter User Password for oamLDAP: 

      Confirm User Password for oamLDAP: 

      Jul 16, 2014 10:07:41 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/common/oam_user_group_read_acl_template.ldif

      Jul 16, 2014 10:07:41 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oim_group_template.ldif

      Jul 16, 2014 10:07:41 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/common/oam_group_member_template.ldif

      Jul 16, 2014 10:07:41 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/common/oam_group_member_template.ldif

      Jul 16, 2014 10:07:41 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oam_user_write_acl.ldif

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/fa_add_pwdpolicy.ldif

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/fa_add_pwdpolicy.ldif

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/esso_schema_extn.ldif

      *** Creation of CO ***

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/common/orgunit_template.ldif

      *** Creation of People ***

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/common/orgunit_template.ldif

      *** Creation of vgoLocator ***

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/common/orgunit_template.ldif

      *** Creation of CO ***

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oam_group_acl_template.ldif

      *** Creation of People ***

      Jul 16, 2014 10:07:42 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oam_group_acl_template.ldif

      *** Creation of vgoLocator ***

      Jul 16, 2014 10:07:43 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

      INFO: -> LOADING:  /opt/fmw/Oracle_IDM1//idmtools/templates/oud/oam_group_acl_template.ldif

      The tool has completed its operation. Details have been logged to automation.log


      The following is the output in automation.log file 

      Jul 16, 2014 10:07:12 PM oracle.idm.automation.util.Util setLogger

      WARNING: Logger initialized in warning mode

      Jul 16, 2014 10:07:28 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createOblixAnonymousUser

      INFO: Oblix Anonymous User has been created

      Jul 16, 2014 10:07:35 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createOAMAdminUser

      INFO: OAM Admin User has been created

      Jul 16, 2014 10:07:41 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createOAMSoftwareUser

      INFO: OAM Software User has been created

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler createOAMAdminGroup

      FINER: ENTRY

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler createOAMAdminGroup

      FINE:  Admin Group: adminGroup:OAMAdministrators

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler createOAMAdminGroup

      FINE:  Admin Group: file:oud/oim_group_template.ldif

      Jul 16, 2014 10:07:41 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createOAMAdminGroup

      INFO: OAM Admin group created successfully

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler createOAMAdminGroup

      FINER: RETURN

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler addUsertoOAMAdminGroup

      FINER: ENTRY

      Jul 16, 2014 10:07:41 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addUsertoOAMAdminGroup

      INFO: OAM Admin User has been added as a member of OAM Admin Group

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler addUsertoOAMAdminGroup

      FINER: RETURN

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler addOAMAdminGroupToIDMAdminGroup

      FINER: ENTRY

      Jul 16, 2014 10:07:41 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addOAMGroupToWebLogicAdminGroup

      INFO: OAM Admin Group has been added as a member of IDM Admin Group

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler addOAMAdminGroupToIDMAdminGroup

      FINER: RETURN

      Jul 16, 2014 10:07:41 PM OAMPreIntegrationHandler createOAMWritePrivGroup

      FINER: ENTRY

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createOAMWritePrivGroup

      INFO: OAM Write Privilege Group with OAM User as its member has been created

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addPwdPolicyToUsers

      INFO: Password policy has been added to OAM Admin user

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addPwdPolicyToUsers

      INFO: Password policy has been added to OAM software user

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler extendSchemaForEsso

      INFO: Created ESSO Object Classes

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createESSOOrgUnit

      INFO: CO has been created

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createESSOOrgUnit

      INFO: People has been created

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler createESSOOrgUnit

      INFO: vgoLocator has been created

      Jul 16, 2014 10:07:42 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addESSOOrgUnitACL

      INFO: CO has been created

      Jul 16, 2014 10:07:43 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addESSOOrgUnitACL

      INFO: People has been created

      Jul 16, 2014 10:07:43 PM oracle.idm.automation.impl.oam.handlers.OAMPreIntegrationHandler addESSOOrgUnitACL

      INFO: vgoLocator has been created

      Jul 16, 2014 10:07:43 PM oracle.idm.automation.AutomationTool dumpConfig

      INFO: Configuration details have been dumped to the file idmDomainConfig.param


    7. On successful completion of the process, the directory structure will have similar structure

      Notice the various users and groups that have been created based on the configuration. In addition to that, there is additional entries which looks like something that are part of Enterprise SSO tool (i.e. ou=People, ou=vgoLocator).

    8. Create a new group cn=Administrators with same details as cn=OAMAdministrators. Please note that the name MUST match due to the inbuilt security policies in the weblogic where the "Administrator" group is mapped to "Admin" Role in system. The following screenshot shows how the this is embedded into the system.

              

       
    9. The identity store can be created and setup based on the steps documented. A screenshot of Identity Store below gives an idea about the various details needed for setup.


    10. Once the identity store has been created, select the same in the "System Store" dropdown and then select the administrator role from the new server.


      On changing the system store and clicking on Apply, the following the warning appears on screen

      OAMAdmin store has been chosen as System Store. To make it functional, manually change the ID Store settings at the OPSS level and configure the IDMDomainAgent.

      The system will also trigger validation of a user account in the new Identity Store to ensure that the user.
    11. After the setup, the Administration screen will show all the groups in the Administrator role.


    12. Create a new LDAP Authentication Module that with the Identity Store

    13. Assign the new LDAP Authentication Module to OAMAdminConsoleScheme Authentication Scheme.

    14. Delete the IAMSuiteAgent provides single sign-on capability for administration consoles using the weblogic console from the Providers tab.


      This will delete the IAMSuiteAgent which has following configuration and ensure that only single login page is displayed.

             

      In case the above component is not removed, the user may be prompted for login 2 times - one for OAM Server and second on the admin server.
    15. Restart all the servers.
Even though the document says that in case of any change of system identity store access for all the active sessions are evaluated and in case of any difference, such sessions are terminated (Reference), this may not happen.

Session Database

By default, the session database is part of the policy database itself. Due to various reasons, there may be a need to separate the session database from policy database. This can be achieved using the steps defined here. Please note that in case of such a migration or any change from database to in-memory (or vice versa) session persistence requires an OAM Server restart.

Register Agents for Access Manager


Register Application domains and policies that protect resources



Configure Common Password Policy


Configure Access Manager Settings.


Disqus for Google Sites