Oracle Fusion Applications Installation: Configure Oracle Identity and Access Management components

Previous: Apply mandatory Patches

Configuring Oracle Identity Management components” can be divided into following tasks. Please note that we will not configure Oracle Virtual Directory, Oracle Identity Federation etc.

  1. Configure the Web Tier
  2. Create Weblogic Domain for Identity Management
  3. Extend the Domain to include Oracle Internet Directory
  4. Prepare Identity and Policy Stores
  5. Extend the Domain to include Oracle Directory Service Manager (ODSM)
  6. Extend the Domain to include Oracle Virtual Directory (Optional)
  7. Configure Oracle Access Manager 11g (OAM)
  8. Configure Oracle Identity Manager (OIM) and Oracle SOA Suite
  9. Post-configure tasks

    Configure Web Tier

    Start the configuration from <Web_Home>/bin

    [fusion@fmwhost ~]$ cd /app/fusion/fmw/web/bin/

    [fusion@fmwhost bin]$ ./config.sh

    Click Next

     

    Select only Oracle HTTP Server and deselect other checkboxes. Click Next

     

    Enter following details and click Next

    Instance Home Location: /app/fusion/config/instances/web1

    (Please note that the paths, instance/component name etc are different from what we used during 11.1.5 installation steps)

    Instance Name: web1

    OHS Component Name: ohs1

    Select “Specify Ports using Configuration file”. Open another shell window and copy the staticports.ini from staging directory.

    [fusion@fmwhost bin]$ cp -p /mnt/hgfs/setup/installers/webtier/Disk1/stage/Response/staticports.ini ~/

    Click View/Edit File

     

    Edit/uncomment the following values.

    OPMN Local Port = 6700

    OHS Port = 7777

    Click Save

     

     

    Deselect the check box and click Next

     

    Click Yes

     

    Review the summary and click Configure

     

    Once installation is successful, click Next

     

    Review the summary and click Finish

     

    Check if the HTTP processes already started.

     

    [fusion@fmwhost bin]$ ps -ef | grep http

    fusion 5410 5383 1 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

    fusion 5419 5410 0 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

    fusion 5420 5410 0 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

    fusion 5422 5410 0 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

    fusion 5518 4052 0 13:14 pts/1 00:00:00 grep http

     

    [fusion@fmwhost bin]$ vi /app/fusion/config/instances/web1/config/OHS/web1/httpd.conf

    Change to following (dba or oinstall based on fusion user group)

     

    User fusion

    Group dba

    Launch http://<hostname>:7777 to make sure that HTTP home page is appearing.

    Make a backup of httpd.conf

    [fusion@fmwhost bin]$ cp -pr /app/fusion/config/instances/web1/config/OHS/web1/httpd.conf /app/fusion/config/instances/web1/config/OHS/web1/httpd.conf.bak.original

    <IfModule mpm_worker_module>

    ServerLimit 20

    StartServers 2

    MaxClients 1000

    MinSpareThreads 200

    MaxSpareThreads 800

    ThreadsPerChild 50

    MaxRequestsPerChild 10000

    AcceptMutex fcntl

    LockFile “${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/http_lock”

    </IfModule>

     

    Restart Web server as follows.

     

    Create Weblogic Domain for Identity Management

    Start the configuration from <Middleware Home>/oracle_common/commin/bin

    [fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl stopall

    opmnctl stopall: stopping opmn and all managed processes…

    [fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl startall

    opmnctl startall: starting opmn and all managed processes…

     

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/oracle_common/common/bin/

    [fusion@fmwhost bin]$ ./config.sh &

     

     

    Select “Create a new Weblogic domain” and click Next

     

    For single domain creation, select:

    – Oracle Identity Manager 11.1.1.3.0 [iam]

    – Oracle SOA Suite – 11.1.1.0 [soa]

    – Oracle Enterprise Manager [oracle_common]

    – Oracle Access Manager with Database Policy Store – 11.1.1.3.0 [iam]

    – Oracle WSM Policy Manager – 11.1.1.0 [oracle_common]

    – Oracle JRF [oracle_common] (This should be selected automatically.)

    Click Next

     

     

    Enter following values.

    Domain Name: IDMDomain

    Domain location: /app/fusion/config/domains

    Application location: /app/fusion/config/domains/IDMDomain/applications

    [Please note that above paths are different from what we used in previous installations]

    Click Next

     

    Enter name “weblogic” and desired password. Click Next

     

    Select “Production Mode” and make sure correct JDK is selected. Click Next

     

    Make sure to change each username to FA_ manually since we have modified the prefix earlier. Once that is changed, select all checkboxes to apply same password. Enter database server details and click Next

     

    Once connection test is successful, click Next

     

    Select “Administration Server” and “Managed servers, clusters and Machines”. Click Next

     

    Enter following values.

    Name: AdminServer

    Listen address: <hostname>

    Listen Port: <7001>

    We are not using SSL here so click Next

     

    In the “Configure Managed Servers” screen enter following values.

    WLS_OAM1, <hostname>, 14100 (OAM Server)

    WLS_SOA1, <hostname>, 8001 (SOA Server)

    WLS_OIM1, <hostname>, 14000 (OIM Server)

    Click Next

     

    Click Next

     

    Since we are using Unix machine, we must delete this entry. Click Delete

     

    This tab should look like this now.

    Click on “Unix Machine” tab and enter following values. And click Next

    Name: <hostname>

    Node Manager listen address: <hostname>

    Node manager listen port: 5556

     

    Import Note: Make sure to use machine name same as hostname. In this case change this to fmwhost.paramlabs.com instead of just fmwhost. Check this using “hostname” command on your OS, even though both point to same IP, the node manager treats both name as different machines.

     

    Select all managed servers on left side and click on right arrow to assign all servers to our single node.

     

    It should look as above. Click Next

     

    Review the summary and click “Create

     

    Once creation is complete, click Done

     

    Prepare Admin server for startup without prompting password

     

    [fusion@fmwhost bin]$ mkdir -p /app/fusion/config/domains/IDMDomain/servers/AdminServer/security

    [fusion@fmwhost bin]$ cd /app/fusion/config/domains/IDMDomain/servers/AdminServer/security

    [fusion@fmwhost security]$ vi boot.properties

    [fusion@fmwhost security]$ more boot.properties

    username=weblogic

    password=Oracle123 (whichever password you chose)

     

    Note: The username and password entries in the file are not encrypted until you start the Administration Server. For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.

     

    Configure and start Node Manager

    [fusion@fmwhost security]$ cd /app/fusion/fmw/wlserver_10.3/server/bin/

    [fusion@fmwhost bin]$ ./startNodeManager.sh

    INFO: Secure socket listener started on port 5556

    Once you see above messege, press CTRL+C to kill the process (if you started with “&” then kill using kill -9 command)

    ^C+ set +x

     

    Set the node manager properties

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/oracle_common/common/bin

    [fusion@fmwhost bin]$ ./setNMProps.sh

    Appending required nodemanager.properties

     

    To confirm the changes,

    [fusion@fmwhost bin]$ tail -f /app/fusion/fmw/wlserver_10.3/common/nodemanager/nodemanager.properties

    #Required NM Property overrides (append to existing nodemanager.properties)

    StartScriptEnabled=true

     

    Start node manager in nohup mode so that it keeps running after you close the shell.

     

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/wlserver_10.3/server/bin/

    [fusion@fmwhost bin]$ nohup ./startNodeManager.sh &

     

    Start Weblogic Admin server

     

    [fusion@fmwhost bin]$ cd /app/fusion/config/domains/IDMDomain/bin/

    [fusion@fmwhost bin]$ nohup ./startWebLogic.sh &

     

    Wait till you see this message.

    <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

     

    ==========

    Note: If you ever get error like

     

    <Info> <Management> <BEA-141281> <unable to get file lock, will retry …>

    Then do the following

    Kill any running processes for startWeblogic.sh and then remove the lock files as follows.

    -bash-3.2$ rm /app/fusion/config/domains/IDMDomain/servers/AdminServer/tmp/AdminServer.lok

     

    This error appears if you the admin server or managed server did not stop properly earlier.

    ==========

     

    Make sure Admin server is started properly by launching the URL http://<hostname>:7001/console

    Login with “weblogic” user

     

     

    Launch Enterprise Manager URL

    http://<hostname>:7001/em

     

    Login with “weblogic” user

     

     

    Setup HTTP Aliases

    Create a file named admin.conf at <web instance directory>/config/OHS/ohs1/moduleconf and enter following lines

     

    [fusion@fmwhost bin]$ more /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf

    RewriteEngine On

    RewriteOptions inherit

    RewriteRule ^/em/targetauth/emaslogout.jsp “/oamsso/logout.html?end_url=/em” [R]

    RewriteRule ^/console/jsp/common/logout.jsp “/oamsso/logout.html?end_url=/console” [R]

     

    ###################################

    ## General Domain Configuration

    ###################################

    # Admin Server and EM

    <Location /console>

    SetHandler weblogic-handler

    WebLogicHost fmwhost.paramlabs.com

    WeblogicPort 7001

    </Location>

     

    <Location /consolehelp>

    SetHandler weblogic-handler

    WebLogicHost fmwhost.paramlabs.com

    WeblogicPort 7001

    </Location>

     

    <Location /em>

    SetHandler weblogic-handler

    WebLogicHost fmwhost.paramlabs.com

    WeblogicPort 7001

    </Location>

     

    Restart Web server

    [fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl stopall

    opmnctl stopall: stopping opmn and all managed processes…

    [fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl startall

    opmnctl startall: starting opmn and all managed processes…

     

    Now you can launch the same URL using our main http port 7777

     

    http://<hostname>:7777/console should open fine now

     

    Register HTTP server with Enterprise Manager

     

    [fusion@fmwhost bin]$ ./opmnctl registerinstance -adminHost fmwhost -adminport 7001 -adminUsername weblogic

    Command requires login to weblogic admin server (fmwhost):

    Username: weblogic

    Password:

     

    Done

    Registering instance

    Command succeeded.

     

    Removing IDM Domain Agent

    In the Administration console, click on “Security Realms” -> myrealm -> Providers

     

    Select IAMSuiteAgent and click on Delete.

     

    Activate Changes

     

    Enable Weblogic Plugin

    Open http://<hostname>:7777/console and login with weblogic user

    Click Lock & Edit. Click on IDMDomain -> Configuration -> Web Applications

    Scroll down and check “Weblogic Plugin Enabled

     

    Click on Environment -> Servers -> AdminServer -> Protocols -> HTTP. Change the Frontend port to 7777.

    Activate Changes

    Restart Welogic Admin Server

    [fusion@fmwhost bin]$ cd /app/fusion/config/domains/IDMDomain/bin/

    [fusion@fmwhost bin]$ ./stopWebLogic.sh

    [fusion@fmwhost bin]$ nohup ./startWebLogic.sh &

     

    Extend the Domain to include Oracle Internet Directory

    Make sure that the port 3060 is not being used by other process.

    [fusion@fmwhost bin]$ netstat -an | grep “3060″

    Start the configuration from <IDM_HOME>/bin

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/idm/bin

    [fusion@fmwhost bin]$ ./config.sh &

     

     

    Click Next

     

    Select “Configure Without A Domain” and click Next

     

    Instance Location: /app/fusion/config/instances/oid1

    Instance Name: oid1

    Click Next

     

    Deselect checkbox and click Next

     

    Click Yes

     

    Select “Oracle Internet Directory” and click Next

     

    Select “Specify Ports using Configuration file”

    Open a shell and copy the staticports.ini file to home directory

    [fusion@fmwhost bin]$ cp -p /app/fusion/provisioning/idm/Disk1/stage/Response/staticports.ini ~/

    Click View/Edit File

     

    Enter/uncomment Value for Non-SSL Port as 3060

    And for SSL Port put value as 3061

    Click Save

     

    Enter database details and click Next

     

    Set Realm as the domain level DC (for example if domain is example.com then set dc=example, dc=com)

    Click Next

     

    Review the summary and click Configure

     

    Once configuration completes, click Next

     

    Review the summary and click Finish

     

    Validate OID

     

    [fusion@fmwhost bin]$ export ORACLE_HOME=/app/fusion/fmw/idm

    [fusion@fmwhost bin]$ export ORACLE_INSTANCE=/app/fusion/config/instances/oid1

    [fusion@fmwhost bin]$ export PATH=$ORACLE_HOME/opmn/bin:$ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_HOME/ldap/admin:$PATH

    [fusion@fmwhost bin]$ ldapbind -h fmwhost -p 3060 -D “cn=orcladmin” -q

    Please enter bind password:

    bind successful

    [fusion@fmwhost bin]$ ldapbind -h fmwhost -p 3061 -D “cn=orcladmin” -q -U 1

    Please enter bind password:

    bind successful

     

    [fusion@fmwhost bin]$ opmnctl reload

    opmnctl reload: reconfiguring opmn…

    [fusion@fmwhost bin]$ opmnctl status agent

     

    Processes in Instance: oid1

    ———————————+——————–+———+———

    ias-component | process-type | pid | status

    ———————————+——————–+———+———

    oid1 | oidldapd | 11217 | Alive

    oid1 | oidldapd | 11221 | Alive

    oid1 | oidmon | 11203 | Alive

    EMAGENT | EMAGENT | 10839 | Alive

     

    Registering Oracle Internet Directory with the WebLogic Server Domain

     

    [fusion@fmwhost bin]$ export ORACLE_HOME=/app/fusion/fmw/idm

    [fusion@fmwhost bin]$ export ORACLE_INSTANCE=/app/fusion/config/instances/oid1

    [fusion@fmwhost bin]$ $ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost fmwhost -adminPort 7001 -adminUsername weblogic

    Command requires login to weblogic admin server (fmwhost):

    Username: weblogic

    Password:

     

    Registering instance

    Command succeeded.

     

    Update the Enterprise Manager Repository URL

     

    [fusion@fmwhost bin]$ cd $ORACLE_INSTANCE/EMAGENT/EMAGENT/bin

    [fusion@fmwhost bin]$ ./emctl switchOMS http://fmwhost:7001/em/upload

    Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0.

    Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.

    SwitchOMS succeeded.

     

    We can now verify whether this instance is registered for monitoring agent.

    Login to http://<hostname>:7777/em using weblogic user

     

     

    Click on Farm->Agent monitored targets.

     

    Make sure that Agent URL is configured and it does not show “Needs Configuration”

    Tune Oracle Internet Directory for Fusion Applications Installation

     

    In EM console, select oid1 from farm tree. On right pan click on oid1->Administration->Shared Properties

     

    Select Skip referral for search (in OID term orclskiprefinsql = 1)

     

    Deselect Match DN (orclMatchDnEnabled = 0)

    Click Apply

     

    Now click on oid1->Administration->Server Properties

     

     

    Set following values.

    Number of Oracle Internet Directory LDAP Server Processes    orclserverprocs        4

    Number of DB Connections per Server Process            orclmaxcc        4

    Maximum Number of LDAP connections per Server Process    orclmaxldapconns    4096

     

    Restart OID processes to make sure that the changes are now in effect.

     

    [fusion@fmwhost bin]$ /app/fusion/config/instances/oid1/bin/opmnctl stopall

    opmnctl stopall: stopping opmn and all managed processes…

    [fusion@fmwhost bin]$ /app/fusion/config/instances/oid1/bin/opmnctl startall

    opmnctl startall: starting opmn and all managed processes…

     

    [fusion@fmwhost bin]$ opmnctl status agent

     

    Processes in Instance: oid1

    ———————————+——————–+———+———

    ias-component | process-type | pid | status

    ———————————+——————–+———+———

    oid1 | oidldapd | 17192 | Alive

    oid1 | oidldapd | 17188 | Alive

    oid1 | oidldapd | 17184 | Alive

    oid1 | oidldapd | 17166 | Alive

    oid1 | oidldapd | 17142 | Alive

    oid1 | oidmon | 17104 | Alive

    EMAGENT | EMAGENT | 17103 | Alive

     

    Prepare Identity and Policy Stores

    Prepare Policy store

    Go to directory <IAM_HOME>/idmtools/bin

    -bash-3.2$ cd /app/fusion/fmw/iam/idmtools/bin/

    Source environment variables

    -bash-3.2$ export ORACLE_HOME=/app/fusion/fmw/iam

    -bash-3.2$ export JAVA_HOME=/app/fusion/jdk6

    -bash-3.2$ export IDM_HOME=/app/fusion/fmw/idm

    -bash-3.2$ export MW_HOME=/app/fusion/fmw

     

    Create a file named policystore.props

    [fusion@fmwhost bin]$ more policystore.props

    POLICYSTORE_HOST: fmwhost.paramlabs.com

    POLICYSTORE_PORT: 3060

    POLICYSTORE_BINDDN: cn=orcladmin

    POLICYSTORE_READONLYUSER: PolicyROUser

    POLICYSTORE_READWRITEUSER: PolicyRWUser

    POLICYSTORE_SEARCHBASE: dc=paramlabs,dc=com

    POLICYSTORE_CONTAINER: cn=idm_jpsroot

     

    [fusion@fmwhost bin]$ ./idmConfigTool.sh -configPolicyStore input_file=policystore.props

    Enter Policy Store Bind DN password :

    Enter User Password for PolicyROUser:

    Confirm User Password for PolicyROUser:

    Enter User Password for PolicyRWUser:

    Confirm User Password for PolicyRWUser:

    Check for errors in the log file.

    -bash-3.2$ grep -i error automation.log

    Note: While running this command, you might see the following error message:

    WARNING: Error in adding in-memory OID search filters.

    You may safely ignore this error.

     

    Run following commands to reassociate Security Store

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/oracle_common/common/bin/

    [fusion@fmwhost bin]$ ./wlst.sh

    wls:/offline> connect(“weblogic”,”Oracle123″,”t3://fmwhost.paramlabs.com:7001″)

    Connecting to t3://fmwhost.paramlabs.com:7001 with userid weblogic …

    Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDMDomain’.

     

    Warning: An insecure protocol was used to connect to the

    server. To ensure on-the-wire security, the SSL port or

    Admin port should be used instead.

     

    wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain=”IDMDomain”, admin=”cn=orcladmin”,password=”Oracle123″, ldapurl=”ldap://fmwhost.paramlabs.com:3060″,servertype=”OID”, jpsroot=”cn=idm_jpsroot”)

     

    wls:/IDMDomain/serverConfig> exit()

     

    Restart Admin Server

     

    Prepare Identity Store

     

    [fusion@fmwhost bin]$ more idstore.props

    # Common

    IDSTORE_HOST: fmwhost.paramlabs.com

    IDSTORE_PORT: 3060

    IDSTORE_BINDDN: cn=orcladmin

    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=paramlabs,dc=com

    IDSTORE_SEARCHBASE: dc=paramlabs,dc=com

    IDSTORE_USERNAMEATTRIBUTE: cn

    IDSTORE_LOGINATTRIBUTE: uid

    IDSTORE_USERSEARCHBASE: cn=Users,dc=paramlabs,dc=com

    POLICYSTORE_SHARES_IDSTORE: true

    # OAM

    IDSTORE_OAMADMINUSER:oamadmin

    IDSTORE_OAMSOFTWAREUSER:oamLDAP

    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators

    # OAM and OIM

    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=paramlabs,dc=com

    # OIM

    IDSTORE_OIMADMINGROUP: OIMAdministrators

    IDSTORE_OIMADMINUSER: oimLDAP

    # Required due to bug

    IDSTORE_OAAMADMINUSER : oaamadmin

    # Fusion Applications

    IDSTORE_READONLYUSER: IDROUser

    IDSTORE_READWRITEUSER: IDRWUser

    IDSTORE_SUPERUSER: weblogic_fa

    # Weblogic

    IDSTORE_WLSADMINUSER : weblogic_idm

     

    [fusion@fmwhost bin]$ ./idmConfigTool.sh -preConfigIDStore input_file=idstore.props

    Enter ID Store Bind DN password :

     

    Check the log for errors

    [fusion@fmwhost bin]$ grep -i error automation.log

    The above commands will automatically create a file named idmDomainConfig.param file. This is an important file and we will seed the values from this file to the response file.

     

    [fusion@fmwhost bin]$ more idmDomainConfig.param

    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=paramlabs,dc=com

    POLICYSTORE_PORT: 3060

    IDSTORE_HOST: fmwhost.paramlabs.com

    IDSTORE_LOGINATTRIBUTE: uid

    IDSTORE_PORT: 3060

    POLICYSTORE_CONTAINER: cn=idm_jpsroot

    IDSTORE_USERSEARCHBASE: cn=Users,dc=paramlabs,dc=com

    POLICYSTORE_HOST: fmwhost.paramlabs.com

    POLICYSTORE_READWRITE_USERNAME: cn=PolicyRWUser,cn=users,dc=paramlabs,dc=com

     

    Creating Users and Groups

    Run following command.

    [fusion@fmwhost bin]$ ./idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props

    Enter ID Store Bind DN password :

    Enter User Password for IDROUser:

    Confirm User Password for IDROUser:

    Enter User Password for IDRWUser:

    Confirm User Password for IDRWUser:

    Enter User Password for weblogic_fa:

    Confirm User Password for weblogic_fa:

    Enter User Password for weblogic_idm:

    Confirm User Password for weblogic_idm:

    Enter User Password for oblixanonymous:

    Confirm User Password for oblixanonymous:

    Enter User Password for oamadmin:

    Confirm User Password for oamadmin:

    Enter User Password for oamLDAP:

    Confirm User Password for oamLDAP:

    Enter User Password for oaamadmin:

    Confirm User Password for oaamadmin:

    Enter User Password for oimLDAP:

    Confirm User Password for oimLDAP:

    Enter User Password for xelsysadm:

    Confirm User Password for xelsysadm:

    The tool has completed its operation. Details have been logged to automation.log

     

    [fusion@fmwhost bin]$ grep -i error automation.log

    WARNING: Error in adding in-memory OID search filters

     

    Note: We are not using Oracle Virtual Directory (OVD) since this is optional component so skipping OVD part

     

    Extend the Domain to include Oracle Directory Service Manager (ODSM)

    Make sure that the port 7006 is not being used by any process.
    [fusion@fmwhost bin]$ netstat -an | grep 7006

    Start the configuration from <IDM_HOME>/bin

     

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/idm/bin/

    [fusion@fmwhost bin]$ ./config.sh &

     

    Click Next

     

    Select “Extend Existing Domain” and enter following values

    Hostname: <hostname>

    Port: 7001

    Username: weblogic

    Password: same as existing weblogic password

    Click Next

     

    Click Yes

     

    Enter following values.

    Weblogic Server Directory: /app/fusion/fmw/wlserver_10.3

    Instance location: /app/fusion/config/instances/ods1

    Instance Name: ods1

    Click Next

     

    Deselect checkbox and click Next

     

    Click Yes

     

    Select only Oracle Directory Service Manager and click Next

     

    Select “Specify Ports using Configuration file”. Open another shell window and copy the staticports.ini from staging directory.

    [fusion@fmwhost bin]$ cp -p /app/fusion/provisioning/idm/Disk1/stage/Response/staticports.ini ~/

    Click View/Edit File

     

    Edit/uncomment ODS server Port No = 7006

    Click Save

     

     

    Review the summary and click Configure

     

    Once configuration completes, click Next

     

    Review the summary and click Finish

     

    Check if wls_ods1 is already up in Enterprise Manager at http://<hostname>:7777/em

    If not up the start by following commands.

    [fusion@fmwhost IDMDomain]$ cp -pr /app/fusion/config/domains/IDMDomain/servers/AdminServer/security/boot.properties /app/fusion/config/domains/IDMDomain/servers/wls_ods1/security/

    [fusion@fmwhost IDMDomain]$ cd /app/fusion/config/domains/IDMDomain/bin/

    [fusion@fmwhost IDMDomain]$ nohup ./startManagedWebLogic.sh wls_ods1 &

    Wait till you see RUNNING in the nohup.log file

    Launch ODSM using following URL

    http://<hostname>:7006/odsm

     

     

    Create Aliases for ODSM in HTTP server

     

    [fusion@fmwhost bin]$ vi /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf

    <Append following lines>

    # ODSM

    <Location /odsm>

    SetHandler weblogic-handler

    WebLogicCluster fmwhost.paramlabs.com:7006

    </Location>

     

    Restart Web Server as follows

    [fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl stopall

    opmnctl stopall: stopping opmn and all managed processes…

    [fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl startall

    opmnctl startall: starting opmn and all managed processes…

    Now you can also launch ODSM using following URL

    http://<hostname>:7777/odsm

     

    Click on Connect to a directory ->
    Create A New Connection

     

    Enter values as above. Click Connect

     

    You can now view the Oracle Internet Directory from ODSM

     

    You can also browse the OID data as above

     

    Configure Oracle Access Manager (OAM)

    Append following entries in /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf

    ##############################################
    ## Entries Required by Oracle Access Manager
    ##############################################
    # OAM console
    <Location /oamconsole>
    SetHandler weblogic-handler
    WebLogicHost fmwhost.paramlabs.com
    WebLogicPort 7001
    </Location>

    ##############################################
    ## Entries Required by Oracle Access Manager
    ##############################################
    # OAM
    <Location /oam>
    SetHandler weblogic-handler
    #WLProxySSL ON
    #WLProxySSLPassThrough ON
    WebLogicCluster fmwhost.paramlabs.com:14100
    </Location>

    ##############################################
    ## Entries Required by Fusion Applications
    ##############################################
    # FAAuthScheme
    <Location /fusion_apps>
    SetHandler weblogic-handler
    #WLProxySSL ON
    #WLProxySSLPassThrough ON
    WebLogicCluster fmwhost.paramlabs.com:14100
    </Location>

    Restart Web Server as follows.
    [fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl stopall

    opmnctl stopall: stopping opmn and all managed processes…

    [fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl startall

    opmnctl startall: starting opmn and all managed processes…

    Go to <IAM_HOME>/idmtools/bin

    [fusion@fmwhost bin]$ export ORACLE_HOME=/app/fusion/fmw/iam

    [fusion@fmwhost bin]$ export MW_HOME=/app/fusion/fmw

    [fusion@fmwhost bin]$ export JAVA_HOME=/app/fusion/jdk6

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/idmtools/bin

     

    Create a file named config_oam1.props

    [fusion@fmwhost bin]$ more config_oam1.props

    WLSHOST: fmwhost.paramlabs.com

    WLSPORT: 7001

    WLSADMIN: weblogic

    WLSPASSWD: Oracle123

    IDSTORE_HOST: fmwhost.paramlabs.com

    IDSTORE_PORT: 3060

    IDSTORE_DIRECTORYTYPE:OID

    IDSTORE_BINDDN: cn=orcladmin

    IDSTORE_USERNAMEATTRIBUTE: cn

    IDSTORE_LOGINATTRIBUTE: uid

    IDSTORE_USERSEARCHBASE: cn=Users,dc=paramlabs,dc=com

    IDSTORE_SEARCHBASE: dc=paramlabs,dc=com

    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=paramlabs,dc=com

    IDSTORE_OAMSOFTWAREUSER: oamLDAP

    IDSTORE_OAMADMINUSER: oamadmin

    PRIMARY_OAM_SERVERS: fmwhost.paramlabs.com:5575

    WEBGATE_TYPE: ohsWebgate11g

    ACCESS_GATE_ID: Webgate_IDM

    OAM11G_IDM_DOMAIN_OHS_HOST:fmwhost.paramlabs.com

    OAM11G_IDM_DOMAIN_OHS_PORT:7777

    OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http

    OAM11G_WG_DENY_ON_NOT_PROTECTED: false

    OAM_TRANSFER_MODE: open

    OAM11G_OAM_SERVER_TRANSFER_MODE:open

    OAM11G_IDM_DOMAIN_LOGOUT_URLS:/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp

    OAM11G_OIM_WEBGATE_PASSWD: Oracle123

    COOKIE_DOMAIN: .paramlabs.com

    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators

    OAM11G_SSO_ONLY_FLAG: true

    OAM11G_OIM_INTEGRATION_REQ: true

    OAM11G_IMPERSONATION_FLAG:true

    OAM11G_SERVER_LBR_HOST:fmwhost.paramlabs.com

    OAM11G_SERVER_LBR_PORT:7777

    OAM11G_SERVER_LBR_PROTOCOL:http

    COOKIE_EXPIRY_INTERVAL: 120

    OAM11G_OIM_OHS_URL:http://fmwhost.paramlabs.com:7777/

    OAM11G_SERVER_LOGIN_ATTRIBUTE: uid

     

    Keep a backup of idmDomainConfig.param for safety

    [fusion@fmwhost bin]$ cp -pr idmDomainConfig.param idmDomainConfig.param.preOAM

     

    Run the following command to Configure OAM

    [fusion@fmwhost bin]$ ./idmConfigTool.sh -configOAM input_file=config_oam1.props

    Enter ID Store Bind DN password :

    Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:

    Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:

    Enter User Password for IDSTORE_PWD_OAMADMINUSER:

    Confirm User Password for IDSTORE_PWD_OAMADMINUSER:

    The tool has completed its operation. Details have been logged to automation.log

     

    [fusion@fmwhost bin]$ grep -i error automation.log

    WARNING: Error in adding in-memory OID search filters

     

    Restart Admin server and all managed servers

     

    Validate OAM

    Login to OAM Console using oamadmin user

     

    http://fmwhost:7777/oamconsole/

     

    In System Configuration tab, click Access Manager Settings -> SSO Agents-> OAM Agents. Search for all agents.

    Edit Webgate_IDM agent

     

    Set Max. number of Connections to 4 for each primary servers (in our case only one host is there)

     

    Do the same for Webgate_IDM_11g agent

    Set Max. number of Connections to 4 for each primary servers (in our case only one host is there)

     

    In Policy Configurations tab, Host identifiers->IAMSuiteAgent-> Make sure our hostname and the default http port is mentioned. If already there then nothing to change in this screen.

    Adding the oamadmin Account to Access System Administrators

    The oamadmin user is assigned to the Oracle Access Manager Administrators group, which is in turn assigned to the Access System Administrators group. Fusion Applications, however, requires the oamadmin user to be explicitly added to that role.

     

    To do this, perform the following steps:

    1. Log in to the oamconsole at http://<hostname>:7777/oamconsole

    2. Click the System Configuration tab.

    3. Expand Data Sources User Identity Stores.

    4. Click OIMIDStore.

    5. Click Open.

    6. Click the symbol next to Access System Adminsitrators.

    7. Type oamadmin in the search box and click Search.

    8. Click the returned oamadmin row, then click Add Selected.

    9. Click Apply.

     

    Click Apply.

    Create Oracle Access Manager Policies for WebGate 11g

    In order to allow WebGate 11to display the credential collector, you must add /oam to the list of public policies.

    Proceed as follows:

    1. Log in to the OAM console

    2. Select the Policy Configuration tab.

    3. Expand Application Domains – IAM Suite

    4. Click Resources.

    5. Click Open.

    6. Click New resource.

    7. Provide the following values:

    Type:
    HTTP

    Description:
    OAM Credential Collector

    Host Identifier:
    IAMSuiteAgent

    Resource URL:
    /oam

    Protection Level:
    Unprotected

    Authentication Policy:
    Public Policy

    8. Click Apply.

     

    Click Apply

     

    Updating Oracle Access Manager System Parameters

     

    1. Log in to the OAM console at http://<hostname>:7777/oamconsole as the WebLogic administration user.

    2. Select the System Configuration tab.

    3. Click Common Settings under the Common Configuration entry.

    4. Click Open.

    5. Set the following values:

    Idle Timeout (minutes): 120

    Session Lifetime: 120

    Maximum Number of Sessions per user: 200

    6. Click Apply

     

     

    Restart OAM

     

    Configure Oracle Identity Manager (OIM) and Oracle SOA Suite

    Start the configuration from <IAM_HOME>/bin

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/bin/

    [fusion@fmwhost bin]$ ./config.sh &

     

    Click Next

     

    Select only “OIM Server” and click Next

     

    Enter database details. Make sure to use correct prefix as we selected earlier (in our case PROD). ClickNext

     

    Admin server URL: t3://<hostname>:7001

    Username and password of weblogic user

    Click Next

     

    Enter required password and OIM HTTP URL as http://<hostname>:14000

    Click Next

     

    Check “Enable LDAP Sync” and click Next

     

    Enter following values

    Directory Server Type: OID

    ID: oid1

    URL: ldap://<hostname>:3060

    User: cn=oimLDAP,cn=systemids,dc=<domain>,dc=<com>

    Click Next

     

    Enter following values

    Role Container: cn=Groups,dc=<domain>,dc=<com>

    User Container: cn=Users,dc=<domain>,dc=<com>

    Reservation Container: cn=Reserve,dc=<domain>,dc=<com>

    Click Next

     

    Review summary and click Configure

     

    Once configure completes, click Next

     

    Review and click Finish

     

    Launch OIM URL

    http://<hostname>:14000/oim

     

    Important Note: If you get HTTP 404
    error for OIM or if you see following errors in OIM log files (even if OIM status shows as “RUNNING” in admin console) then OIM has not come up properly. You can see this in EM and it will show OIM as down.

     

    <Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment request with ID ‘1356332711618′ for task ‘1′. Error is: ‘weblogic.management.DeploymentException: [J2EE:160149]Error while processing library references. Unresolved application library references, defined in weblogic-application.xml: [Extension-Name: oracle.sdp.client, exact-match: false].’

     

    weblogic.management.DeploymentException: [J2EE:160149]Error while processing library references. Unresolved application library references, defined in weblogic-application.xml: [Extension-Name: oracle.sdp.client, exact-match: false].

    at weblogic.application.internal.flow.CheckLibraryReferenceFlow.prepare(CheckLibraryReferenceFlow.java:26)

    at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:648)

    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)

    at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)

    at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:59)

     

    Truncated. see log file for complete stacktrace

     

    As per metalink Note: 1328471.1 following needs to be done to fix this.

     

     

    Admin console->Deplyments->go to oracle.sdp.client page

     

     

    Select Lock & Edit on left pan and on right pan click the checkboxes for WLS_OIM1 and WLS_SOA1

     

    Restart OIM

     

    Now launch OIM URL again.

     

    Login with xelsysadm user

    Enter answers for challenge questions.

     

    If you have not applied post-steps for patch 13399365 properly then you might get following errors.

     

    oracle.iam.platform.kernel.OrchestatrionException

    “ADF_FACES-60097 : For more information, please see the server’s error log for an entry beginning with: ADF_FACES-60096: Server Exception during PPR, #8″

     

    Internal Exception: java.sql.SQLSyntaxErrorException: ORA-00904: “CONTEXTVAL”: invalid identifier

    Error Code: 904

    Call: INSERT INTO ORCHPROCESS (ID, BULKPARENTID, CHANGETYPE, CONTEXTVAL, CREATEDON, ENTITYID, ENTITYTYPE, MODIFIEDON, OPERATION, ORCHESTRATION, ORCHTARGET, PARENTPROCESSID, RETRY, SEQUENCE, STAGE, STATUS) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)

    bind => [16 parameters bound]

     

    This is because following column might not be available in PROD_OIM. ORCHPROCESS table. The post steps for above patch create this column.

     

    CONTEXTVAL CLOB

     

    Apply Post steps for patch 13399365 to fix this issue as follows.

     

    [fusion@fmwhost patch]$ cd /mnt/hgfs/setup/installers/idm/patch/13399365

    [fusion@fmwhost 13399365]$ mv /app/fusion/fmw/iam/server/bin/weblogic.profile /app/fusion/fmw/iam/server/bin/weblogic.profile_bak

    [fusion@fmwhost 13399365]$ cp -p sample_weblogic.profile.fa /app/fusion/fmw/iam/server/bin/weblogic.profile

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/server/bin/

    [fusion@fmwhost bin]$ more weblogic.profile

    # For passwords if you dont want to put password </optional> in this file just comment it out from here, you will be promted for it in rumtime.

     

    #Neccessary env variables [Mandatory]

    ant_home=/app/fusion/fmw/modules/org.apache.ant_1.7.1

    java_home=/app/fusion/jdk6

    mw_home=/app/fusion/fmw

    oim_oracle_home=/app/fusion/fmw/iam

     

    #DB configuration variables [Mandatory]

    operationsDB.user=FA_OIM

    # Database password is optional. if you want to give it on terminal itself leave it commented. Otherwise uncomment it.

    OIM.DBPassword=Oracle123

    operationsDB.driver=oracle.jdbc.OracleDriver

    operationsDB.host=fdbhost.paramlabs.com

    operationsDB.serviceName=fusiondb

    operationsDB.port=1521

    appserver.type=wls

     

    isMTEnabled=false

    # If you have milty-tenancy enabled in your environment

    mdsDB.user=FA_MDS

    #Password is optional, if you want to give it on terminal itself leave it commented. Otherwise uncomment it.

    mdsDB.password=Oracle123

    mdsDB.host=fdbhost.paramlabs.com

    mdsDB.port=1521

    mdsDB.serviceName=fusiondb

     

    #For domain level configurations [Mandatory]

    # put here your admin server related credentials

    weblogic_user=weblogic

    #Password is optional, if you want to give it on terminal itself leave it commented. Otherwise uncomment it.

    weblogic_password=Oracle123

    weblogic_host=fmwhost

    weblogic_port=7001

    weblogic.server.dir=/app/fusion/fmw/wlserver_10.3

     

    #oim specific domain level parameters [Mandatory]

    oimserver_host=fmwhost.paramlabs.com

    oimserver_port=14000

    oim_managed_server=WLS_OIM1

    oim_domain_dir=/app/fusion/config/domains/IDMDomain

     

    isSODEnabled=false

     

    #SOA specific details [Mandatory]

    soa_home=/app/fusion/fmw/SOA

    soa_managed_server=WLS_SOA1

    soaserver_host=fmwhost.paramlabs.com

    soaserver_port=8001

    #put here the name of the targets of taskdetails. in non cluster it will be soa server name and in cluster it will be something like cluster_soa

    taskdetails_target_name=WLS_SOA1

    isOHSEnabled=true

    #Following params is needed only if you have enabled OHS in your env

    ohs_home=/app/fusion/fmw/web

     

    #If your env is FA, you can set this var false or ignore this if your env is non FA.

    isFAEnabled=true

     

    Now let’s apply the weblogic patch script.

     

    [fusion@fmwhost bin]$ export MW_HOME=/app/fusion/fmw

    [fusion@fmwhost bin]$ export JAVA_HOME=/app/fusion/jdk6

    [fusion@fmwhost bin]$ export ANT_HOME=/app/fusion/fmw/modules/org.apache.ant_1.7.1

    [fusion@fmwhost bin]$ export OIM_ORACLE_HOME=/app/fusion/fmw/iam

    [fusion@fmwhost bin]$ export PATH=$JAVA_HOME/bin:$PATH

    [fusion@fmwhost bin]$ ./patch_weblogic.sh

     

    It takes long time so be patient till it completes.

     

    Launch OIM again to make sure you can login successfully and enter security answers successfully.

     

     

     

    Now Launch SOA using following URL

    http://<hostname>:8001/soa-infra

    Login with weblogic username and password when prompted.

     

    Prepare OIM to reconcile from ID store

     

    [fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/server/ldap_config_util/

    [fusion@fmwhost ldap_config_util]$ cp -pr ldapconfig.props ldapconfig.props_orig

    [fusion@fmwhost ldap_config_util]$ vi ldapconfig.props

    [fusion@fmwhost ldap_config_util]$ cat ldapconfig.props

    # OIMServer Type, Valid values can be WLS, JBOSS, WAS

    # e.g.: OIMServerType=WLS

    OIMServerType=WLS

     

    # OIMAdmin User Login

    # e.g.: OIMAdminUser=xelsysadm

    OIMAdminUser=xelsysadm

     

    # Skip Validation of OVD Schema

    # e.g.: SkipOVDValidation=true|false, Default false

    SkipOVDValidation=true

     

    # OIM Provider URL

    # e.g.: OIMProviderURL=t3://localhost:8003

    OIMProviderURL=t3://fmwhost.paramlabs.com:14000

     

    # OID URL

    # e.g.: OIDURL=ldap://localhost:389

    OIDURL=ldap://fmwhost.paramlabs.com:3060

     

    # Admin user name to connect to OID

    # e.g.: OIDAdminUsername=cn=orcladmin

    OIDAdminUsername=cn=oimLDAP,cn=systemids,dc=paramlabs,dc=com

     

    # Search base

    # e.g.: OIDSearchBase=dc=company,dc=com

    OIDSearchBase=dc=paramlabs,dc=com

     

    # Name of the user container

    # e.g.: UserContainerName=cn=Users

    UserContainerName=cn=Users

     

    # Name of the role container

    # e.g.: RoleContainerName=cn=Roles

    RoleContainerName=cn=Groups

     

    # Name of the reservation container

    # e.g.: ReservationContainerName=cn=Reserve

    ReservationContainerName=cn=Reserve

     

    [fusion@fmwhost ldap_config_util]$ export JAVA_HOME=/app/fusion/jdk6

    [fusion@fmwhost ldap_config_util]$ export WL_HOME=/app/fusion/fmw/wlserver_10.3

    Run following command

    [fusion@fmwhost ldap_config_util]$ ./LDAPConfigPostSetup.sh /app/fusion/fmw/iam/server/ldap_config_util

    [Enter OIM admin password:]

     

    Authenticated with OIM Admin…..

    Obtained Scheduler Service…..

    Successfully Enabled Changelog based Reconciliation schedule jobs.

    Successfully Updated Changelog based Reconciliation schedule jobs with last change number : <number>

     

    Login to Enterprise Manager to make sure every required component is up.

     

    Configure HTTP for OIM and SOA

     

    Append following entries in /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf

    ################################################

    ## Entries Required by Oracle Identity Manager

    ################################################

    # oim admin console(idmshell based)

    <Location /admin>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # oim self and advanced admin webapp consoles(canonic webapp)

    <Location /oim>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # xlWebApp – Legacy 9.x webapp (struts based)

    <Location /xlWebApp>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # Nexaweb WebApp – used for workflow designer and DM

    <Location /Nexaweb>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # used for FA Callback service.

    <Location /callbackResponseService>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # spml xsd profile

    <Location /spml-xsd>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # role-sod profile

    <Location /role-sod>

    SetHandler weblogic-handler

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    <Location /HTTPClnt>

    SetHandler weblogic-handler

    #WLProxySSL ON

    #WLProxySSLPassThrough ON

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    ################################################

    ## Entries Required by Oracle Identity Manager and SOA

    ################################################

     

    # SOA Infrastructure

    <Location /soa-infra>

    SetHandler weblogic-handler

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:8001

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # UMS Email Support

    <Location /ucs>

    SetHandler weblogic-handler

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:8001

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # SOA Callback webservice for SOD – Provide the SOA Managed Server Ports

    <Location /sodcheck>

    SetHandler weblogic-handler

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:8001

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    # Callback webservice for SOA. SOA calls this when a request is approved/rejected

    # Provide the SOA Managed Server Port

    <Location /workflowservice>

    SetHandler weblogic-handler

    WLCookieName oimjsessionid

    WebLogicCluster fmwhost.paramlabs.com:14000

    WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”

    </Location>

     

    A copy of my admin.conf file can be found here. This is just sample admin.conf, you must make changes to host name and ports accordingly.

    Restart Web Server.
    [fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl stopall

    opmnctl stopall: stopping opmn and all managed processes…

    [fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl startall

    opmnctl startall: starting opmn and all managed processes…

     

    Change Host assertion in Weblogic

    Click Save and Activate Changes.

    Verify OIM and SOA using HTTP port

     

    http://<hostname>:7777/oim

    http://<hostname>:7777/soa-infra

     

    Enabling Oracle Identity Manager to Connect to SOA Using the Administrative Users Provisioned in LDAP

    Login to EM console

    Select Farm_IDMDomain –> Identity and Access–> OIM –> oim(11.1.1.3.0).

    Select MBean Browser from the menu or right click to select it.

     

    Select Application defined Mbeans –> oracle.iam –> Server: wls_oim1 –> Application: oim –> XML Config -> Config –> XMLConfig.SOAConfig –>SOAConfig

    Change the username attribute to weblogic_idm

     

     

    select Weblogic Domain –> IDMDomain from the Navigator.

    Select Security –> Credentials from the down menu

     

    Expand the key oim.

    Click SOAAdminPassword.

    Click Edit.

     

    Change the username to weblogic_idm and set the password to the accounts password.

    Click OK.

     

    Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm, to be visible in the OIM Console. Follow these steps:

    a. Log in to Oracle Identity Manager at:

    <hosname>:7777/oim as the user xelsysadm

    b. If prompted, set up challenge questions. This happens on your first login to Oracle Identity Manager.

    c. Click Advanced.

    d. Click the System Management tab.

    e. Click the arrow for the Search Scheduled Jobs to list all the schedulers.

    f. Select LDAP User Create and Update Full Reconciliation.

    g. Click Run Now to run the job.

    h. Go to the Administration page and perform a search to verify that the user is visible in the Oracle Identity Manager console.

     

     

     

    Now click on Administration

     

    Click Advanced Search –> Roles

     

    Search for the Administrators role. Click the Administrators Role.

    Click Open.

     

    Click the Members tab. Click Assign.

     

    Type weblogic_idm in the Search box and Click ->.

    Select weblogic_idm from the list of available users.

    Click to move to Selected Users.

     

    Click Save.

     

    1. Log in to the weblogic console using at:

    http://<hostname>:7777/console

    2. Click Lock and Edit.

    3. Expand the Environment Node in the Domain Structure window.

    4. Click Servers to open the Summary of Servers Page.

    5. Click on a server to show the server properties page.

    6. Click the Server Start tab.

    7. Add the following values to the Arguments field:

    -Djps.subject.cache.key=5

    -Djps.subject.cache.ttl=600000.

    8. Click Save.

    9. Repeat for each of the managed servers.

    10. Click Activate Changes.

     

    Restart Admin server and all managed servers

Next: Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)

Installing Oracle Fusion Applications – steps

  1. Install Fusion Applications Provisioning Framework
  2. Install Oracle 11g Database (Applications Transactional Database)
  3. Run Oracle Fusion Applications Repository Creation Utility (Applications RCU)
  4. Create another database for Oracle Identity Management Infrastructure (optional)
  5. Run Repository Creation Utility (RCU) for Oracle Identity Management components
  6. Install Oracle Identity and Access Management Components
  7. Apply mandatory Patches
  8. Configure Oracle Identity and Access Management components
  9. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
  10. Install provisioning framework on Node 2
  11. Create new Response File
  12. Provision an Applications Environment (Editing in progress, this link currently points to 11.1.5 counterpart)
Mar 24th, 2013 | Posted by Tushar Thakker | In Uncategorized
  1. Ibrahim Khan
    Sep 2nd, 2014 at 11:35 | #1

    Hello guys,
    I am unable to sign in my oamconsole
    the server is running fine without any error in the logs.
    when i enter the username and password it does not show any movement.
    it does not even reply to a wrong password or username input.

    Please help me out as i am unaware of any solution all over the internet

  2. Rahul
    Aug 28th, 2014 at 09:30 | #2

    Hi,

    Tushar,

    The OIM is not starting on Fusion_IDMDomain

    Name: oim(11.1.1.3.0) Status: Down Target: WLS_OIM1

    Here is the error msg I am getting.

    Please advise:

    Invoking Start Up operation for application oim on target WLS_OIM1.
    [Deployer:149193]Operation ‘start’ on application ‘oim [Version=11.1.1.3.0]’ has failed on ‘WLS_OIM1′
    [Deployer:149034]An exception occurred for task [Deployer:149026]start application oim [Version=11.1.1.3.0] on WLS_OIM1.: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=OIMSchemaPassword read).
    Operation Start Up on target oim Failed. Please see error logs for details.

  3. Aug 21st, 2014 at 13:44 | #3

    Hi Tushar,
    I am facing very strange issue, dont know if it is normal or not.

    The wizard hangs completely during the step 7 of 11 in the “extend the Domain to include Oracle Internet Directory” process. I had provided right details in the required fields.

    It hanged for almost 30 minutes. I tried several times. Glad if you can provide any feedback.

  4. Prakash
    Apr 3rd, 2014 at 05:11 | #4

    Hi Tushar,

    We are working on the OIM 11g Release R2(11.1.2.2.0). When ever i am trying to create form from from designer i am getting the below error.

    java.lang.String cannot bd cast to oracle.iam.ui.formservice.model.FormCreateResult

    ADF_FACES-60097:For more informatiom, please see the servers error log for an entry begning with:ADF_FACES-60096:Server Exception during PPER, #3

    Can you please let me know do we need to apply any patch for this error.

    Thanks.

    • Kireet
      May 14th, 2014 at 06:58 | #5

      Hi Prakash,

      Even we are facing the same issue.. Can you please let me know what you have done to rectify this.

      Thanks,
      Kireet.

      • Angelos
        Jul 9th, 2014 at 13:31 | #6

        Guys,

        we’re facing also the “java.lang.String cannot be cast to oracle.iam.ui.formservice.model.FormCreateResult” error.

        Did you come up with a solution?

        Thank you,
        Angelos

        • Sep 16th, 2014 at 11:00 | #7

          The same issue here. Any suggestion how to solve it?

          • Natali
            Sep 17th, 2014 at 12:35 | #8

            It is a bug, see Doc ID 1922978.1 on support.oracle.com

  5. Oct 24th, 2013 at 20:53 | #9

    Hi Tushar,

    Thanks for your blog. I have some quries please if possible reply me.

    1) Instead of FA_ i gave FAAPP_ schema creation of RCU
    is this going to impact ?

    2) Atfer i Completed OIM congiuration as per Oracle DOC ID 1328471.1
    i completed workaround.

    In Browser when i hit Enter to OIM link , link is changing & no login page

    http://hostname:14000/oim

    http://www.hostname.com:14000/oim

    please advice

    • tushar
      Oct 28th, 2013 at 05:10 | #10

      Hello,

      Till 11.1.6 release of Fusion Apps, it was ok to keep any prefix. In fact they suggested to keep EDG_ but we had selected FA_. From 11.1.7 release they have made it mandatory to keep FA_ but this is in case of 11.1.7. It has not given any issues in 11.1.6 if we changed it.

      Regarding OIM, I need to see which note you followed but can you please tell what is the behavior if you open OIM using web load balancer port instead of OIM server port.

      Regards
      Tushar

  6. Morpheus
    Sep 11th, 2013 at 13:52 | #11

    HI ,tushar

    How to Restart OAM in this article (the action above title“Configure Oracle Identity Manager (OIM) and Oracle SOA Suite”)?

    thank you very much

    BR,

    Morpheus

  7. anup modak
    Sep 9th, 2013 at 15:41 | #12

    The SOA domain wont bootup with message invalid credentials on adminserver…

  8. tushar
    Aug 30th, 2013 at 21:36 | #13

    Dear all,

    We have a lot of comments pending this week. I will reply to all questions one by one over the weekend and next week.

    Thanks
    Tushar

  9. RamPrasad
    Aug 27th, 2013 at 06:09 | #14

    Hi,

    My host name is fusion with IP 192.168.59.101 and same placed in etc/hosts.

    There is no domain gien in host entry like oracle.com.

    Duing Oracle identity management installation setup – Step 8 of 11.

    I gave Realm as dc=fusion

    Created Policystore.props as below:

    LICYSTORE_HOST: fusion — also tried giving 192.168.59.101
    POLICYSTORE_PORT: 3060
    POLICYSTORE_BINDDN: cn=orcladmin
    POLICYSTORE_READONLYUSER: PolicyROUser
    POLICYSTORE_READWRITEUSER: PolicyRWUser
    POLICYSTORE_SEARCHBASE: dc-fusion — also tried giving dc=localhost,dc=localdomain
    POLICYSTORE_CONTAINER: cn=idm_jpsroot

    Now I am not able to prepare policy store:

    ./idmConfigTool.sh -configPolicyStore input_file=policystore.props

    Error:
    Enter Policy Store Bind DN password :
    Host/Port details missing in the Config file

    Please help..

    Thanks,
    RamPrasad

  10. Mohamed Farouk
    Aug 26th, 2013 at 11:56 | #15

    Hi, Thanks for the great note, i followed the steps mentioned in the note but i got this error oracle.iam.ldapsync.exception.ProcessLDAPReconDataException: An error occurred as there is no result or null returned from LDAP. Check the log files.

    I enabled trace and found the following error in WLS_OIM1-diagnostic.log

    [2013-08-21T14:22:11.802+03:00] [WLS_OIM1] [ERROR] [IAM-0042008] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-4] [userId: oiminternal] [ecid: 0000K2W^fp8ECS05Nzg8ye1I5A1b000002,0] [APP: oim#11.1.1.3.0] An error occurred while searching the entity in LDAP, and the corresponding error is – {0}[[
    javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
    LDAP Error 32 : No Such Object [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object]
    at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
    at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:439)
    at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
    at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1101)
    at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.search(LDAPDataProvider.java:1217)
    at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.returnEntityType(LDAPRoleMembershipReconTask.java:502)
    at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.createRoleMembershipReconciliationEvent(LDAPRoleMembershipReconTask.java:319)
    at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.processResult(LDAPRoleMembershipReconTask.java:174)
    at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.execute(LDAPRoleMembershipReconTask.java:109)
    at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
    Caused by: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object
    at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:174)
    at oracle.ods.virtualization.service.DefaultVirtualizationSession.search(DefaultVirtualizationSession.java:191)
    at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:429)
    … 15 more

    and in WLS_OIM1.out:

  11. Priya
    Jul 5th, 2013 at 02:26 | #16

    Hi, Tushar,

    Appreciate if you could comment on the following Issue…… Thanks!

    While configuring domain for IDM 11.1.1.6.0, I am facing this issue during
    the configuration progress druing the run of $ORACLE_HOMR/binconfig.sh

    geting this Bootstraps Domain configuration Failed. Error
    Iam trying to Configure OID Domain after Installing IDM 11.1.1.6
    software. But the config.sh wizard is getting failed at the Domain
    creation.

    The steps that i ‘ve followed are:

    created 11.2.0.3 database on database server and populated the metadata w/RCU

    Installed sun jdk1.6 on the server

    Installed Weblogic 10.3.6 on server

    Installed IDM 11.1.1.6 Without creating & configuring OID domain on server

    run config.sh under $ORACLE_HOME/bin, but installer was stuck in the
    “create domain” step, and the below error message could be observed in
    the installer’s log:

    2013-07-04T08:40:42.815+05:30] [as] [ERROR] [] [oracle.as.install.engine.modules.presentation] [tid: 11] [ecid: 0000Jybe2o61zWWzLwePOA1HpETX000002,0] Io exception: Connection refused(DESCRIPTION=(TMP=)(VSNNUM=186647296)(ERR=12514)(ERROR_STACK=(ERROR=(CODE=12514)(EMFI=4))))[[

    java.sql.SQLException: Io exception: Connection refused(DESCRIPTION=(TMP=)(VSNNUM=186647296)(ERR=12514)(ERROR_STACK=(ERROR=(CODE=12514)(EMFI=4))))
    at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)

    at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:231)
    at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:345)

    And

    progress in calculate progress2

    java.lang.NullPointerExceptionat oracle.as.install.engine.modules.util.fileutils.INIFileReaderUtilities.parseFile(INIFileReaderUtilities.java:185)
    at oracle.as.install.engine.modules.util.fileutils.INIFileReaderUtilities.(INIFileReaderUtilities.java:86)

    at oracle.as.install.engine.modules.util.fileutils.INIFileReaderUtilities.(INIFileReaderUtilities.java:99)
    at oracle.as.idm.install.config.BootstrapConfigManager.doExecute(BootstrapConfigManager.java:850)
    at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:371)

    Please suggest what could be the Issue,

    Thanks

    Priya

  12. Raj
    May 18th, 2013 at 22:46 | #17

    Hello Gurus,
    I follow the same steps are mention in this blog, when I Ran the following command
    ./idmConfigTool.sh -preConfigIDStore input_file=idstore.props

    I got error saying “Host/Port details missing in the Config file”

    Can you please let me know what can be the issue?

    Thanks
    Raj

    • tushar
      May 20th, 2013 at 04:37 | #18

      Dear Raj,

      The error is very clear. You need to check the same in your idstore.props. If you cannot find then please post your idstore.props file and I can let you know where the details are missing.

      Thanks
      Tushar

    • Morpheus
      Sep 11th, 2013 at 13:57 | #19

      Hi Raj

      Please keep the code together without blank lines in file idstore.props

      BR,

      Morpheus

  13. tushar
    Apr 30th, 2013 at 09:44 | #20

    Dear all,

    I have updated the post with missing oam alias entries in admin.conf files. A sample admin.conf file can be found here. Please note that you must change the hostnames and ports accordingly.

    Regards
    Tushar

  14. sreekanth
    Apr 30th, 2013 at 09:11 | #21

    sreekanth :
    Hi ,
    This is great post i simply followed this , not sure whether you have covered or not i see some OAM related directive are missing from admin.conf in this post , after adding below i could access oam without any issues else you get 404 error after you installing webgate and try accessing any url
    SetHandler weblogic-handler
    WebLogicHost xxxx.com
    WeblogicPort 14100

  15. sreekanth
    Apr 30th, 2013 at 08:58 | #22

    Hi ,

    This is great post i simply followed this , not sure whether you have covered or not i see some OAM related directive are missing from admin.conf in this post , after adding below i could access oam without any issues else you get 404 error after you installing webgate and try accessing any url

    SetHandler weblogic-handler
    WebLogicHost infaesad81.cloud.opsource.net
    WeblogicPort 14100

    • tushar
      Apr 30th, 2013 at 09:20 | #23

      You are so right !! I am so sorry for missing these entries in this post. They are already mentioned in 11.1.5 post but seems I missed to mention these entries in 11.1.6 posts. There are multiple entries in admin.conf which seem missing in this post. I will add all of them right away.

      Thanks a lot for bringing it to my notice ! All those who faced 404 error due to this, please correct the admin.conf file

      – Tushar

  16. Apr 23rd, 2013 at 17:53 | #24

    Thank you for the great site. I really enjoy it. I am stuck on “Configure OAM”. I created config_oam1.props and am running it. It craps out on

    Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
    oracle.idm.automation.exception.ExecutionFailedException: Error in adding password policy for System ID container
    at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.prepareLDAPUserDN(OAM11gIntegrationHandler.java:425)
    at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.configOAM11gIdStore(OAM11gIntegrationHandler.java:238)
    at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.execute(OAM11gIntegrationHandler.java:888)
    at oracle.idm.automation.AutomationTool.configOAM(AutomationTool.java:708)
    at oracle.idm.automation.AutomationTool.parseCmdLine(AutomationTool.java:227)
    at oracle.idm.automation.AutomationTool.main(AutomationTool.java:141)
    There were errors found. Details have been logged to automation.log

    I went in to the OID and changed the pw. Still getting this error. Any ideas?

    Thanks again!

  17. Daren
    Apr 22nd, 2013 at 07:12 | #25

    Very soon this web site will be famous among all
    blog viewers, due to it’s nice content

  18. Kumar
    Apr 2nd, 2013 at 14:42 | #26

    Hi,
    Can anyone help me to solve this problem?

    I’m getting the following error message in automation.log when i run
    the following command to configure OAM
    ./idmConfigTools.sh -configOAM input_file=config_oam1.props

    SEVERE: Error while configuring User ID Store {1}

    Serever Instances in oamconsole showing OAMSERVER1 insted of WLS_OAM1 and the primary server list also showing AMSERVER1 and the Host port 3005.

    It’s look like oam-config.xml not updated when i run the automation tools.

    WLS_OAM1,WLS_ODS1,WLS_OIM1 and WLS_SOA1 is up & running.

    I can telnet to all the ports, but not proxy port 5575

    plsease advise

    rgds/Kumar

    • Magdy
      Apr 20th, 2013 at 10:48 | #27

      me too
      any solution

    • FA
      Apr 21st, 2013 at 21:48 | #28

      Pls check your input for IDSTORE parameters in config_oam1.props special hostname and domain.

      • Sebastian
        May 3rd, 2013 at 11:13 | #29

        Check also the hosts file to be correct. I have had the same issue here, after correcting the hosts the configuration worked

  19. Magdy
    Mar 31st, 2013 at 11:48 | #30

    i can’t find http://fmwhost.paramlabs.com:7777/oamconsole/
    or ://fmwhost.paramlabs.com:3060/oamconsole/
    it give me error
    The requested URL /oamconsole/ was not found.

    Why

    • tushar
      Apr 1st, 2013 at 03:24 | #31

      First of all 3060 is not a web port, it is for OID. Secondly in order to 7777/oamconsole to work you must have added the alias /oamconsole in admin.conf file as mentioned in the post.

      If you are finding it difficult to prepare IDM infrastructure for Fusion apps, you can get a readymade VM for this using the link at the top

      • Magdy
        Apr 4th, 2013 at 07:01 | #32

        i am going to buy it but i need more details about it
        1-this virtual machine is compatible with vmware ESX5 or not
        2- i am using IP 172.16.100.1 for this machine is it ok with your one or not
        3- i will start with Oracle fusion financial application so how can i complete the remaining steps to achieve that
        4- will you support me if i face any problem with this machine or not

        thank you

        • tushar
          Apr 4th, 2013 at 07:30 | #33

          The VMs are created using VMWare workstation for now. You can convert them to ESX using
          vmkfstools -i .vmdk .vmdk

          Changing IP is very much possible if you are confident about changing it on Linux.

          For remaining steps you nee to create another linux VM and make sure that both can communicate to each other. Then install fusion applications framework (step 2) since it contains the basic wizard for provisioning.

          Then you need to create response file (as per step 9) and provision/install applications (step 10). You will need idmDomainConfig.param file from node 1 (located at $IAM_HOME/idmtools/bin) to be copied anywhere on node2 since response file will prompt for its location.

          Yes we will support you if you face any problems in starting the identity management VM (except issues in conversion to ESX).

          For remaining steps including provisioning you need to contact us on blog only so that we or community users can answer your queries.

          We never insist on buying the VM since it is only for those who are tight on schedule or having issues in installation since our main aim is to help the oracle community to learn on their own and we are always open for support

          • Magdy
            Apr 11th, 2013 at 09:05 | #34

            can you make one machine including all software ( policy + application ) to be available for use directly (financial and HR modules)

    • Kumar
      Apr 2nd, 2013 at 16:18 | #35

      You must append oamconsole host,port info in admin.conf file.

      Rgds/Kumar

      • Ram
        Apr 28th, 2013 at 13:57 | #36

        Hi Kumar,

        Could you provide the details of oamconsole host,port info in admin.conf file.

        Regards,
        Ram

        • Ram
          Apr 28th, 2013 at 14:09 | #37

          Problem has been solved after adding in admin.conf:

          # OAMCONSOLE

          SetHandler weblogic-handler
          WebLogicHost xxapps
          WeblogicPort 7001

          Regards,
          Ram

          • tushar
            Apr 30th, 2013 at 09:27 | #38

            My bad guys, yes indeed some admin.conf entries were missing in this post. They were posted in 11.1.5 post but I missed to write that paragraph in this post. I will correct this and also put sample admin.conf as well to verify. Please accept my apologies.

            Tushar

  20. Sandesh
    Mar 29th, 2013 at 09:38 | #39

    Hi

    In above screenshots I see versions of some components less then 11.1.1.6 (selecting products for creating Oracle identity mgt doamin) like Oracle Identity Manager 11.1.1.3.0 [iam], Oracle SOA Suite – 11.1.1.0 [soa].

    Is it ok or we need to upgrade these components to 11.1.1.6?

    Regards,
    Sandesh

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>