Perform Post-Provisioning Configuration

Installing Oracle Fusion Applications > Setting up Identity and Access Management Node > Perform Post-Provisioning Configuration

Previous: Provision Identity Management

Pro Oracle Fusion Applications – Installation and Administration

Now you can buy the first and only comprehensive book on Oracle Fusion Applications Installation and Administration which covers end to end information on introduction, planning, installation and troubleshooting guides for implementing Fusion Applications on premise. Buy it now from any of the following stores.

http://www.amazon.com/Pro-Oracle-Fusion-Applications-Administration/dp/1484209842

http://www.barnesandnoble.com/w/pro-oracle-fusion-applications-tushar-thakker/1121094340

http://www.apress.com/9781484209844

http://www.springer.com/us/book/9781484209844

Correcting Datasource Configuration

Due to Bugs 17075699 and 17076033 in Identity Management Provisioning, you must make changes to the following datasources:

  • EDNLocalTxDataSource*
  • mds-oim*
  • mds-owsm*
  • mds-soa*
  • oamDS*
  • oimJMSStoreDS*
  • OraSDPMDataSource*
  • SOALocalTxDataSource*

 

To make the changes, proceed as follows:

1. Log in to the WebLogic Administration Console at http://idmhost.paramlabs.com:7777/console

Use weblogic_idm username and password which you provided before provisioning.

2. Click Lock & Edit.

3. Navigate to Services -> Data Sources

4. Click on the data source to be updated, for example, EDNLocalTxDataSource

5. Click the Transaction tab

6. Deselect Supports Global Transactions if not already deselected. In our case it is already deselected.

7. Click Save.

8. Repeat Steps 4 through 7 for all the listed datasources.

Note: We had to change the checkbox only or oamDS. All other were already deselected.

9. Click Activate Changes.

10. Restart all servers.

 

Updating Oracle HTTP Server Runtime Parameters

By default, the Oracle HTTP Server contains parameter values that are suitable for most applications. These values, however, must be adjusted in IDM Deployments

 

Proceed as follows:

1. Edit the file httpd.conf, which is located in: WEB_ORACLE_INSTANCE/config/OHS/component_name

[fusion@idmhost ~]$ cd /app/oracle/config/instances/ohs1/config/OHS/ohs1/

[fusion@idmhost ohs1]$ cp -pr httpd.conf httpd.conf.bak

[fusion@idmhost ohs1]$ vi httpd.conf

 

2. Find the entry that looks like this:

<IfModule mpm_worker_module>

3. Update the values in this section as follows:

<IfModule mpm_worker_module>

ServerLimit 20

MaxClients 1000

MinSpareThreads 200

MaxSpareThreads 800

ThreadsPerChild 50

MaxRequestsPerChild 10000

AcceptMutex fcntl

</IfModule>

4. Leave all remaining values unchanged.

5. Save the file.

 

[fusion@idmhost ohs1]$ diff httpd.conf httpd.conf.bak

164,169c164,168

< ServerLimit 20

< MaxClients 1000

< MinSpareThreads 200

< MaxSpareThreads 800

< ThreadsPerChild 50

< MaxRequestsPerChild 10000

> MaxClients 150

> MinSpareThreads 25

> MaxSpareThreads 75

> ThreadsPerChild 25

> MaxRequestsPerChild 0

1036c1035

< include “/app/oracle/config/instances/ohs1/config/OHS/ohs1/webgate.conf”

> include “/app/oracle/config/instances/ohs1/config/OHS/ohs1/webgate.conf”

\ No newline at end of file

 

Creating ODSM Connections to Oracle Virtual Directory

Before you can manage Oracle Virtual Directory you must create connections from ODSM to each of your Oracle Virtual Directory instances. To do this, proceed as follows:

1. Access ODSM at: http://idmhost.paramlabs.com:7777/odsm

 

2. Follow these steps to create connections to Oracle Virtual Directory:

To create connections to Oracle Virtual Directory, follow these steps. Create connections to each Oracle Virtual Directory node separately. Using the Oracle Virtual Directory load balancer virtual host from ODSM is not supported:

 

Create a direct connection to Oracle Virtual Directory on idmhost providing the following information in ODSM:

Host: idmhost.paramlabs.com

Port: 8899 (The Oracle Virtual Directory proxy port, OVD_ADMIN_PORT)

Enable the SSL option.

User: cn=orcladmin

Password: password_to_connect_to_OVD

 

Creating ODSM Connections to Oracle Internet Directory

Before you can manage Oracle Internet Directory you must create connections from ODSM to each of your Oracle Internet Directory instances. To do this, proceed as follows:

1. Access ODSM at: http://idmhost.paramlabs.com:7777/odsm

 

 

2. Follow these steps to create connections to Oracle Internet Directory:

 

To create connections to Oracle Internet Directory, follow these steps.

Create a direct connection to Oracle Internet Directory on idmhost providing the following information in ODSM:

Host: idmhost.paramlabs.com

Port: 3060

Deselect the SSL option.

User: cn=orcladmin

Password: password_to_connect_to_OID

 

Post-Provisioning Steps for Oracle Identity Manager

Perform the following task to ensure that Oracle Identity Manager works correctly after provisioning.

Add an Oracle Identity Manager Property

As a workaround for a bug in the Identity Management Provisioning tools (Bug 16667037), you must add an Oracle Identity Manager property. Perform the following steps:

 

1. Log in to the WebLogic Console.

2. Navigate to Environment -> Servers.

3. Click Lock and Edit.

 

4. Click on the server wls_oim1

5. Click on the Server Start subtab

 

6. Add the following to the Arguments field:

-Djava.net.preferIPv4Stack=true

7. Click Save.

9. Click Activate Changes.

10. Restart the managed server wls_oim1

 

 

Post-Provisioning Steps for Oracle Access Manager

Updating Existing WebGate Agents

 

Update the OAM Security Model of all WebGate profiles, with the exception of Webgate_IDM and Webgate_IDM_11g, which should already be set

To do this, perform the following steps:

1. Log in to the Oracle Access Manager Console as the Oracle Access Manager Administration user (oamadmin)

http://idmhost.paramlabs.com:7777/oamconsole

 

 

2. Click the System Configuration tab.

3. Expand Access Manager Settings – SSO Agents.

4. Click OAM Agents and select Open from the Actions menu.

5. In the Search window, click Search.

6. Click an Agent, for example: IAMSuiteAgent.

7. Set the Security value to the security model in the OAM Configuration screen of the Identity Management Provisioning Wizard

Click Apply.

8. Restart the managed server wls_oam1

 

Update WebGate Configuration

 

To update the maximum number of WebGate connections, proceed as follows.

1. In the Oracle Access Manager Console, select the System Configuration tab.

2. Select Access Manager -> SSO Agents -> OAM Agent from the directory tree. Double-click or select the Open Folder icon.

3. On the displayed search page, click Search to perform an empty search.

4. Click the Agent Webgate_IDM.

5. Select Open from the Actions menu.

6. Set Maximum Number of Connections to 20

7. Set AAA Timeout Threshold to 5.

8. In the User Defined Parameters box, set client_request_retry_attempts to 11.

9. If the following Logout URLs are not listed, add them:

/oamsso/logout.html

/console/jsp/common/logout.jsp

/em/targetauth/emaslogout.jsp

 

 

 

10. Click Apply.

Repeat Steps 4 through 7 for each WebGate

 

Creating Oracle Access Manager Policies for WebGate 11g

 

In order to allow WebGate 11g to display the credential collector, you must add /oam to the list of public policies.

Proceed as follows:

 

1. Log in to the OAM console at: http://idmhost.paramlabs.com:7777/oamconsole

2. Select the Policy Configuration tab.

3. Expand Application Domains – IAM Suite

4. Click Resources.

5. Click Open.

 

6. Click New resource.

7. Provide the following values:

Type: HTTP

Description: OAM Credential Collector

Host Identifier: IAMSuiteAgent

Resource URL: /oam

Protection Level: Unprotected

Authentication Policy: Public Policy

8. Leave all other fields at their default values.

9. Click Apply

 

Passing Configuration Properties File to Oracle Fusion Applications

 

[fusion@idmhost ~]$ cd /app/oracle/config/fa/

[fusion@idmhost fa]$ ls -ltr idmsetup.properties

-rw-r–r– 1 fusion dba 3548 Oct 26 02:42 idmsetup.properties

[fusion@idmhost fa]$ cp -pr idmsetup.properties idmsetup.properties.backup

 

OIF Configuration

OIF is optional and we will skip configuring it

We will also skip “updating node manager for enterprise deployment” since we do not want to configure SSL yet\

 

Let’s confirm if OID and OHS are running fine.

[fusion@idmhost ~]$ /app/oracle/config/instances/oid1/bin/opmnctl status

Processes in Instance: oid1

———————————+——————–+———+———

ias-component | process-type | pid | status

———————————+——————–+———+———

ovd1 | OVD | 14778 | Alive

oid1 | oidldapd | 15011 | Alive

oid1 | oidldapd | 14999 | Alive

oid1 | oidldapd | 14910 | Alive

oid1 | oidmon | 14780 | Alive

EMAGENT | EMAGENT | 14777 | Alive

 

[fusion@idmhost ~]$ /app/oracle/config/instances/ohs1/bin/opmnctl status

Processes in Instance: ohs1

———————————+——————–+———+———

ias-component | process-type | pid | status

———————————+——————–+———+———

ohs1 | OHS | 16798 | Alive

 

Validate OID and OVD

[fusion@idmhost bin]$ ldapbind -h idmhost.paramlabs.com -p 6501 -D “cn=orcladmin” -q

Please enter bind password:

bind successful

 

[fusion@idmhost bin]$ ldapbind -h idmhost.paramlabs.com -p 7501 -D “cn=orcladmin” -q -U 1

Please enter bind password:

bind successful

 

[fusion@idmhost bin]$ ldapbind -h idmhost.paramlabs.com -p 3060 -D “cn=orcladmin” -q

Please enter bind password:

bind successful

[fusion@idmhost bin]$ ldapbind -h idmhost.paramlabs.com -p 3131 -D “cn=orcladmin” -q -U 1

Please enter bind password:

bind successful

 

Validate Admin and managed Servers

Login to Weblogic console at http://idmhost:7777/console using weblogic_idm user. Click on Servers.

 

 

You can see that all servers except OIF are running. This is default configuration after IDM provisioning since OIF is optional and we will not start it.

Login to Enterprise Manager at http://idmhost:7777/em using weblogic_idm user.

 

All components except OIF should be green.

Validate OIM by logging into http://idmhost:7777/oim using xelsysadm user

 

 

This concludes our IDM host related setup. We will now move on to Fusion Applications host.

 

Next: Install Fusion Applications Provisioning Framework on FA Host

 

Installing Oracle Fusion Applications – steps

A. Setting up Identity and Access Management Node

1. Install Fusion Applications Provisioning Framework

2. Install Oracle 11g Database (Identity management database)

3. Run Repository Creation Utility (RCU) for Oracle Identity Management components

4. Install Identity Management Provisioning Wizard

5. Create IDM provisioning Response File

6. Provision Identity Management

7. Perform Post-Provisioning Configuration

B. Setting up Fusion Applications Node

1. Install Fusion Applications Provisioning Framework

2. Install Oracle 11g Database (Fusion Apps Database)

3. Run Oracle Fusion Applications Repository Creation Utility (Applications RCU)

4. Create new Applications Provisioning Response File

5. Provision an Applications Environment

Nov 3rd, 2013 | Posted by Tushar Thakker | In Uncategorized
  1. Steve
    Oct 10th, 2014 at 18:46 | #1

    Tushar,

    I followed your example and it worked perfectly. However, can you give me advice on setting up Directory Integration Platform(DIP) in this configuration?

  2. Rahul
    Sep 30th, 2014 at 11:38 | #2

    Dear Tushar,

    During the step

    Post-Provisioning Steps for Oracle Access Manager
    Updating Existing WebGate Agents

    I shutdown the wls_oam1 from the Weblogic Console.

    Not I am getting the following error while opening any of the link related to EM, Console, oamconsole.

    Oracle Access Manager Operation Error
    The WebGate plug-in is unable to contact any Access Servers.
    Contact your website administrator to remedy this problem.

    Please let me know how to restart the wls_oam1.

    I followed oracle support and found one solution but it is not working.

    MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://idmhost.paramlabs.com:7777

    weblogic username: weblogic_idm
    password: Oracle123

    Kindly help me on the following issue.

    Many thanks

  3. loganathan
    Sep 3rd, 2014 at 14:24 | #5

    Dear Tushar,

    I completed all the phase with out any error, I am trying to login in console getting following error.

    URL :http://192.168.1.112:7777/console

    Oracle Access Manager Operation Error
    No message for The Access Server has returned a status that is unknown to the AccessGate .

    Contact your website administrator to remedy this problem.

    If I specified instead of IP with host name

    URL: http://idmhost.fugodba.com:7777/console

    This webpage is not available

    I need to edit any files to work out?

  4. Stuart
    Aug 28th, 2014 at 03:44 | #6

    Thanks for the sharing!

    I was wondering why I cannot logging the oim design coonsole?

  5. riyaz
    Jun 26th, 2014 at 07:37 | #7

    Hi Tushar ,

    My Fusion instance very very slow .how to resolve the ,please help me.

  6. Anand Ranganathan
    Feb 16th, 2014 at 04:12 | #8

    Hi Tushar,

    I finished the provisioning and did the changes on correcting the datasource configuration. After that you mentioned to restart the servers. I did the following.

    Started WebLogic
    nohup ./startManagedWebLogic.sh WLS_OAM1 &
    nohup ./startManagedWebLogic.sh wls_ods1 &
    nohup ./startManagedWebLogic.sh WLS_OIM1 &
    nohup ./startManagedWebLogic.sh WLS_SOA1 &

    Now I am unable to go into http://fusion:7777/console… it is no more recognized. All I could get is http://fusion:7001. WebLogic Server is working and starting.

    Can you let me know what I made as error.

    Regards,

    Anand

  7. Magdy
    Jan 26th, 2014 at 16:22 | #13

    Dear tushar
    when i run ldapbind -h idmhost.paramlabs.com -p 3060 -D “cn=orcladmin” -q -U 1
    it succeed but when i run
    ldapbind -h idmhost.paramlabs.com -p 7501 -D “cn=orcladmin” -q -U 1
    it give me ldap_bind: invalid credential
    ldap_binf: additional info: Anonymous bind disable

    and when i run
    ldapbind -h idmhost.paramlabs.com -p 7501 -D “cn=orcladmin” -q -U 1
    or
    ldapbind -h idmhost.paramlabs.com -p 3131 -D “cn=orcladmin” -q -U 1
    it give me ldap_bind: local error

    any suggest ?

    • tushar
      Jan 27th, 2014 at 04:29 | #14

      Dear Magdy,

      Your first command shows clear error message that you entered invalid credentials while validating. Please try again with correct password and it will work fine. Second set has again same command listed so kindly revisit the comment you posted. The last one is not correct port so ignore it.

      Regards
      Tushar

      • Magdy
        Jan 27th, 2014 at 05:52 | #15

        Dear Tushar
        thank you very much for your fast response
        i followed your steps exactly so in this case i should use the Oracle123 as password or there is another one

        • tushar
          Jan 27th, 2014 at 05:56 | #16

          Yes whichever password you have selected during installation. We had selected Oracle123 and Param123 in different installations on this blog. You enter whichever you had selected.

          • Magdy
            Jan 27th, 2014 at 07:10 | #17

            Dear Tushar
            i removed the OVD connection and created it again
            it solve the problem for
            ldapbind -h idmhost.paramlabs.com -p 6501 -D “cn=orcladmin” -q

            but
            ldapbind -h idmhost.paramlabs.com -p 7501 -D “cn=orcladmin” -q
            still giving error ldap_bind: local error

        • tushar
          Jan 27th, 2014 at 07:13 | #18

          No issues. Go ahead with the installation. You are going to use 3060 only anyway.

          • Magdy
            Jan 27th, 2014 at 07:20 | #19

            thank you very much tushar

      • Magdy
        Jan 27th, 2014 at 05:59 | #20

        Dear tushar
        sorry for the mistake in port NO it is 6051
        when i run ldapbind -h idmhost.paramlabs.com -p 3060 -D “cn=orcladmin” -q -U 1
        it succeed but when i run
        ldapbind -h idmhost.paramlabs.com -p 6501 -D “cn=orcladmin” -q -U 1
        it give me ldap_bind: invalid credential
        ldap_binf: additional info: Anonymous bind disable

        and when i run
        ldapbind -h idmhost.paramlabs.com -p 7501 -D “cn=orcladmin” -q -U 1

        it give me ldap_bind: local error

  8. Magdy
    Dec 17th, 2013 at 09:17 | #21

    i tried to log in http://idmhost.dohacables.com:7777/oamconsole from remote computer give me :
    Access Denied
    Access to administration console is restricted.

    when tried it from the server it open the console but when i tried to log in using the username oamadmin and password Oracle123 it give me error :
    An incorrect username or Password was specialied

    • tushar
      Dec 17th, 2013 at 10:30 | #22

      Since IDM domain has SSO configured, if you are logged in to admin server or any other application then it might continue to use the same credentials when you open other consoles. For this, either login to the already logged-in console and logout before you launch oamconsole and if you don’t know where you are already logged on, just use http://:7777/oamsso/logout.html to manually logout.

      For oamconsole use the passord which you have given during installation since Oracle123 is the password used by us during installation (11.1.6) and we used password Param123 for 11.1.7 but you could have specified other password.

      – Tushar

      • Magdy
        Dec 17th, 2013 at 12:23 | #23

        thank you tushar for your time and support
        i followed your installation steps exactly but i still facing problem to log in oam due to the the password , according your steps what is the password which i should use to log in the oam console with the username oamadmin

        • tushar
          Dec 18th, 2013 at 06:45 | #24

          Dear Magdy,
          In 11.1.6 we had manually created admin.conf but here the configuration file name will be different since it is automatically generated as part of the IDM provisioning. Also since you earlier got Apache bridge error, it means it was able to resolve odsm even with 7777 port but was not able to redirect since service was not properly started. Have you tried same thing again after restarting ODSM? You can also double-check for ODSM entry in the config files located in moduleconf directory

          Regards
          Tushar

  9. Magdy
    Dec 17th, 2013 at 07:53 | #25

    i can’t log in http://idmhost.paramlabs.com:7777/odsm
    it give me the following error

    Failure of server APACHE bridge:

    No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.

  10. Magdy Mansour
    Dec 17th, 2013 at 07:53 | #26

    i can’t log in http://idmhost.paramlabs.com:7777/odsm
    it give me the following error

    Failure of server APACHE bridge:

    No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>