Preparing Identity and Policy Stores
Oracle Fusion Applications Installation: Preparing Identity and Policy Stores
Previous: Configuring Oracle Identity and Access Management components
Important Note: This is OLD guide for old version 11.1.1.5. Please follow instructions at http://www.oratraining.com/blog/2012/12/oracle-fusion-applications-installation-step-by-step-guide-11-1-5/ for latest guide for current version i.e. 11.1.5
Now we will prepare the Identity and Policy stores which will create the necessary users, groups etc. This will also generate a file called idmDomainConfig.param which we need to specify while creating a provisioning plan. This will automatically populate some of the required fields during the provisioning plan creation.
Important Note: Please make sure to run all these commands from same location since these commands will create/append into a file named idmDomainConfig.param in same directory. Running these commands from same directory will ensure that all the contents is appended into single file.
Change the directory to <IAM_ORACLE_HOME>/idmtools/bin. And export the required environment variables.
[oracle@fusion bin]$ cd /app/fusion/bea_default/Oracle_IAM/idmtools/bin
[oracle@fusion bin]$ export IDM_HOME=/app/fusion/bea_default/Oracle_IDM1
[oracle@fusion bin]$ export ORACLE_HOME=/app/fusion/bea_default/Oracle_IAM
[oracle@fusion bin]$ export MW_HOME=/app/fusion/bea_default
[oracle@fusion bin]$ export JAVA_HOME=/app/fusion/jdk6
Now create a file named policystore.props with following contents.
[oracle@fusion bin]$ more policystore.props
POLICYSTORE_HOST : fusion
POLICYSTORE_PORT : 3060
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc=localdomain
POLICYSTORE_CONTAINER: cn=jpsroot
Now run idmConfigTool.sh to configure the Policy store based on the above input file. Enter a password of choice whenever prompted. We will stick to “oracle123” for now.
[oracle@fusion bin]$ ./idmConfigTool.sh -configPolicyStore input_file=policystore.props
Enter Policy Store Bind DN password :
…
Enter User Password for PolicyROUser:
Confirm User Password for PolicyROUser:
…
Enter User Password for PolicyRWUser:
Confirm User Password for PolicyRWUser:
…
The tool has completed its operation. Details have been logged to automation.log
Whenever you run this tool, it will append log to automation.log in same directory. You can check the same as follows.
[oracle@fusion bin]$ ls -ltr
total 60
-rwxr-x— 1 oracle oinstall 1169 Dec 2 2010 appidtool.sh
-rwxr-x— 1 oracle oinstall 1139 Dec 2 2010 appidtool.bat
-rwxr-x— 1 oracle oinstall 1593 Mar 28 2011 orclTenantManager.sh
-rwxr-x— 1 oracle oinstall 2287 May 2 2011 orclTenantManager.bat
-rwxr-x— 1 oracle oinstall 3005 May 3 2011 idmConfigTool.sh
-rwxr-x— 1 oracle oinstall 3096 May 3 2011 idmConfigTool.bat
-rw-r–r– 1 oracle oinstall 235 Jan 25 21:21 policystore.props
-rw-r—– 1 oracle oinstall 154 Jan 25 21:23 idmDomainConfig.param
-rw-r–r– 1 oracle oinstall 1497 Jan 25 21:23 automation.log
As you can see it has created 2 files. idmDomainConfig.param and automation.log
Next we need to re-associate the policy store. Follow the steps below for the same.
[oracle@fusion bin]$ cd /app/fusion/bea_default/ocracle_common/common/bin/
[oracle@fusion bin]$ ./wlst.sh
…
Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
This will take you to a prompt which looks as follows. Enter following command to connect to the weblogic AdminServer.
wls:/offline>
connect(“weblogic”,’ “oracle123″,”t3://fusion:7001”)
Connecting to t3://fusion:7001 with userid weblogic …
Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDM_domain’.
Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
Once connected run the following reassociateSecurityStore command. reassociateSecurityStore(domain=”IDMDomain”, admin=”cn=orcladmin”,password=”oracle123″, ldapurl=”ldap://fusion:3060″, servertype=”OID”,jpsroot=”cn=jpsroot”)
wls:/IDM_domain/serverConfig> reassociateSecurityStore(domain=”IDMDomain”,admin=”cn=orcladmin”,password=”oracle123″,ldapurl=”ldap://fusion:3060″,servertype=”OID”,jpsroot=”cn=jpsroot”)
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
Starting policy store reassociation.
…
Jps Configuration has been changed. Please restart the application server.
Enter the command “exit()” to quit the tool now.
wls:/IDM_domain/serverConfig> exit()
Exiting WebLogic Scripting Tool.
Now restart the Weblogic Server. We will use the shell scripts which we have created to start/stop weblogic. You can do this manually as well.
[oracle@fusion bin]$ ~/scripts/stopwls.sh
Stopping Weblogic Server
…
Shutting down the server AdminServer with force=false while connected to AdminServer …
..
Stopping Derby Server…
[oracle@fusion bin]$ ~/scripts/startwls.sh
Starting Weblogic Server
Again change the directory to <IAM_ORACLE_HOME>/idmtools/bin and create a file named extend.props with following contents.
[oracle@fusion bin]$ cd /app/fusion/bea_default/ocracle_common/common/bin/
[oracle@fusion bin]$ more extend.props
IDSTORE_HOST : fusion
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain
IDSTORE_SEARCHBASE: dc=localdomain
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=localdomain
Make sure that all required environment variables are already set. No need to set again if you are in the same terminal/putty window.
[oracle@fusion bin]$ echo $IDM_HOME
/app/fusion/bea_default/Oracle_IDM1
[oracle@fusion bin]$ echo $ORACLE_HOME
/app/fusion/bea_default/Oracle_IAM
Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123” for now.
[oracle@fusion bin]$ ./idmConfigTool.sh -preConfigIDStore input_file=extend.props
Enter ID Store Bind DN password :
…
The tool has completed its operation. Details have been logged to automation.log
Now create a file named oam.props with following contents.
[oracle@fusion bin]$ more oam.props
IDSTORE_HOST : fusion
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain
IDSTORE_SEARCHBASE: dc=localdomain
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123” for now.
[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=OAM input_file=oam.props
Enter ID Store Bind DN password :
…
Enter User Password for oblixanonymous:
Confirm User Password for oblixanonymous:
…
Enter User Password for oamadmin:
Confirm User Password for oamadmin:
…
Enter User Password for oamLDAP:
Confirm User Password for oamLDAP:
…
The tool has completed its operation. Details have been logged to automation.log
Now create a file named oim.props with following contents.
[oracle@fusion bin]$ more oim.props
IDSTORE_HOST : fusion
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,dc=localdomain
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain
IDSTORE_SEARCHBASE: dc=localdomain
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=localdomain
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdministrators
Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123” for now.
[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props
Enter ID Store Bind DN password :
…
Enter User Password for oimadmin:
Confirm User Password for oimadmin:
…
Enter User Password for xelsysadm:
Confirm User Password for xelsysadm:
The tool has completed its operation. Details have been logged to automation.log
Now create a file named lwls.props with following contents.
[oracle@fusion bin]$ more lwls.props
IDSTORE_HOST: fusion
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users, dc=localdomain
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain
IDSTORE_SEARCHBASE: dc=localdomain
POLICYSTORE_SHARES_IDSTORE: true
Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123” for now.
[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=WLS input_file=wls.props
Enter ID Store Bind DN password :
…
Enter User Password for weblogic_idm:
Confirm User Password for weblogic_idm:
…
The tool has completed its operation. Details have been logged to automation.log
Now create a file named fusion.props with following contents.
[oracle@fusion bin]$ more fusion.props
IDSTORE_HOST : fusion
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_USERSEARCHBASE:cn=Users,dc=localdomain
IDSTORE_SEARCHBASE: dc=localdomain
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain
IDSTORE_SUPERUSER: weblogic_fa
POLICYSTORE_SHARES_IDSTORE: true
Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123” for now.
[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=fusion input_file=fusion.props
Enter ID Store Bind DN password :
…
Enter User Password for IDROUser:
Confirm User Password for IDROUser:
…
Enter User Password for IDRWUser:
Confirm User Password for IDRWUser:
…
Enter User Password for weblogic_fa:
Confirm User Password for weblogic_fa:
…
The tool has completed its operation. Details have been logged to automation.log
This concludes the preparation of Identity and Policy stores for the Fusion Applications Installation.
Next: Creating a New Provisioning Plan
Installing Oracle Fusion Applications – steps
- Installing Fusion Applications Provisioning Framework
- Installing Oracle 11g Database (Applications Transactional Database)
- Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
- Creating another database for Oracle Identity Management Infrastructure (optional)
- Running Repository Creation Utility (RCU) for Oracle Identity Management components
- Installing Oracle Identity and Access Management Components
- Configuring Oracle Identity and Access Management components
- Preparing Identity and Policy Stores
- Creating a New Provisioning Plan
- Provisioning an Applications Environment
Hi
Quick query,
Does the ./idmConfigTool.sh -configPolicyStore input_file=policystore.props command require OAM and IDM to be installed on the same server.
How do we create policy store when OID is on a seperate node ?
Please advise.
Many thanks
Subash
@AKB
Can you please let us know where exactly are you stuck so that we can help from there. And yes if these steps are followed exactly for the version mentioned in the posts then it “will” lead to completion.
Also apologies for being off-the-blog for some time due to some major critical projects. Will be more available for next few days.
Thanks
Tushar
Hi,
I followed the steps mentioned here with exactly the same commands and I got struck at the same place two times.
Did the steps mentioned here lead to completion of installation.
I have pasted the error I got, which resulted in me re-starting the installation process. But, I have not got a response on how to resolve the issue.
Will I get a resolution on how to fix the issue and the steps which will not put in the same spot if I restart.
Balaji
It would be great to know what each of these users are actually used for.
IDROUser, IDRWUser, oblixanonymous, oimadmin, etc… All docs talk about creating them, but none actually describe what’s what. Good summary though!