Previous: Configuring Oracle Identity and Access Management components 

Preparing OAM for integration

Create a file named config_oam2.props as follows.

[oracle@fusion bin]$ more config_oam2.props

WLSHOST: fusion

WLSPORT: 7001

WLSADMIN: weblogic

WLSPASSWD: Oracle123

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_OAMSOFTWAREUSER: oamLDAP

IDSTORE_OAMADMINUSER: oamadmin

PRIMARY_OAM_SERVERS: fusion:5575

WEBGATE_TYPE: ohsWebgate10g

ACCESS_GATE_ID: Webgate_IDM

OAM11G_IDM_DOMAIN_OHS_HOST:false

OAM11G_IDM_DOMAIN_OHS_PORT:7777

OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http

OAM11G_WG_DENY_ON_NOT_PROTECTED: false

OAM_TRANSFER_MODE: open

OAM11G_OAM_SERVER_TRANSFER_MODE:open

OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp

OAM11G_OIM_WEBGATE_PASSWD: Oracle123

OAM11G_SERVER_LOGIN_ATTRIBUTE: uid

COOKIE_DOMAIN: .localdomain

OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators

OAM11G_SSO_ONLY_FLAG: true

OAM11G_OIM_INTEGRATION_REQ: true

OAM11G_IMPERSONATION_FLAG:true

OAM11G_SERVER_LBR_HOST:fusion

OAM11G_SERVER_LBR_PORT:7777

OAM11G_SERVER_LBR_PROTOCOL:http

COOKIE_EXPIRY_INTERVAL: 120

OAM11G_OIM_OHS_URL:http://fusion:7777/

[oracle@fusion bin]$ export ORACLE_HOME=/app/fusion/fmw/iam

[oracle@fusion bin]$ export IDM_HOME=/app/fusion/fmw/idm

[oracle@fusion bin]$ export MW_HOME=/app/fusion/fmw

[oracle@fusion bin]$ export JAVA_HOME=/app/fusion/jdk6

[oracle@fusion bin]$ cd /app/fusion/fmw/iam/idmtools/bin/

[oracle@fusion bin]$ ./idmConfigTool.sh -configOAM input_file=config_oam2.props

Enter ID Store Bind DN password :

Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:

Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:

Enter User Password for IDSTORE_PWD_OAMADMINUSER:

Confirm User Password for IDSTORE_PWD_OAMADMINUSER:

The tool has completed its operation. Details have been logged to automation.log

Restart Weblogic Admin Server.

Create another file named user.props as follows.

[oracle@fusion bin]$ more user.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_ADMIN_USER: cn=orcladmin

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

PASSWORD_EXPIRY_PERIOD: 7300

[oracle@fusion bin]$ ./idmConfigTool.sh -upgradeLDAPUsersForSSO input_file=user.props

…

Enter Directory Type[OID]: OID

…

Finished parsing LDAP

LDAP Users Upgraded.

Remove Security Providers

If you have already configured signle sign-on for Administration Console then you must delete the security providers you created in that section. Otherwise this can be skipped since these providers will not be present. Still make sure that these do not exist.

1. Log in to the WebLogic Administration Console at:

http://fusion:7777/console

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

Select the following providers:

OVDAuthenticator

OIDAuthenticator

OAMIDAssertor

6. Click Delete.

7. Click Yes to confirm deletion.

8. Restart the administration server and all managed servers if you had to delete the above otherwise you can continue to next step.

Integrate OIM and OAM

Create a new file named oimitg.props as follows.

[oracle@fusion bin]$ more oimitg.props

LOGINURI: /${app.context}/adfAuthentication

LOGOUTURI: /oamsso/logout.html

AUTOLOGINURI: None

ACCESS_SERVER_HOST: fusion

ACCESS_SERVER_PORT: 5575

ACCESS_GATE_ID: Webgate_IDM

COOKIE_DOMAIN: .localdomain

COOKIE_EXPIRY_INTERVAL: 120

OAM_TRANSFER_MODE: open

WEBGATE_TYPE: ohsWebgate10g

SSO_ENABLED_FLAG: true

IDSTORE_PORT: 3060

IDSTORE_HOST: fusion

IDSTORE_DIRECTORYTYPE: OID

IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=localdomain

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

MDS_DB_URL: jdbc:oracle:thin:@fusion:1521:fusiondb

MDS_DB_SCHEMA_USERNAME: dev_mds

WLSHOST: fusion

WLSPORT: 7001

WLSADMIN: weblogic

DOMAIN_NAME: IDMDomain

OIM_MANAGED_SERVER_NAME: wls_oim1

DOMAIN_LOCATION: /app/fusion/admin/IDMDomain/aserver/IDMDomain

[oracle@fusion bin]$ ./idmConfigTool.sh -configOIM input_file=oimitg.props

Enter sso access gate password :

Enter mds db schema password :

Enter idstore admin password :

Enter admin server user password :

…

…

Changes Activated. Edit session ended.

Connection closed sucessfully

The tool has completed its operation. Details have been logged to automation.log

Have a look at the automation.log if there are any errors. There should not be any.

Restart Admin server and all managed servers.

Manually Creating CSF Keys

1. Log into Oracle Enterprise Manager Fusion Middleware Control at:

http://fusion/em

2. Navigate to FARM_IDMDomain – Weblogic Domain

3. Click IDMDomain.

4. When the summary screen is displayed, select Security – Credentials from the list.

5. Click the credential key oim and click Create Key. Create the following keys:

SSOAccessKey

Field Value

Map oim

Key SSOAccessKey

Type Password

User Name SSOAccessKey

Password Value of OAM11G_OIM_WEBGATE_PASSWD

Description OAMAccessGatePassword

Before validating integration we must do the following.

Assigning IDM Administrators Group to Weblogic Administration Groups

1. Log in to the WebLogic Administration Server Console.

2. In the left pane of the console, click Security Realms.

3. On the Summary of Security Realms page, click myrealm under the Realms table.

4. On the Settings page for myrealm, click the Roles & Policies tab.

5. On the Realm Roles page, expand the Global Roles entry under the Roles table.

This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.

6. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

a. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

b. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

c. On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

7. Click Finish to return to the Edit Global Rule page.

8. The Role Conditions table now shows the IDM Administrators Group as an entry.

9. Click Save to finish adding the Admin role to the IDM Administrators Group.

10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

Important Note: If you skip the above step then you may get following error while accessing fusion:7777/em with weblogic_idm user

“User is not authorized to login to WebLogic Domain. User should be part of one or more Administrative roles to be able to login.”

 

Install webgate

[oracle@fusion webgate]$ cd /mnt/fusion/installers/webgate

./Oracle_Access_Manager10_1_4_3_0_linux64_OHS11g_WebGate –gui

[Make sure you supply -gui argument]

Welcome screen appears. Click Next

Enter Username as “oracle” and group “oinstall“. Click Next

Enter the values as above and click Next

Review the above information and click Next

Supply the values as above but before clicking Next, open a new terminal window and execute following steps to create symbolic links in the desired directory.

[oracle@fusion oam_lib]$ mkdir /app/fusion/oam_lib

[oracle@fusion oam_lib]$ ln -s /usr/lib64/libstdc++.so.5 /app/fusion/oam_lib/libstdc++.so.5

[oracle@fusion oam_lib]$ ln -s /lib64/libgcc_s.so.1 /app/fusion/oam_lib/libgcc_s.so.1

Once done, click Next

The installation will finish and will automatically take you to the next screen.

Select Open Mode and click Next

Enter the values as follows and click Next.

WebGate ID: Webgate_IDM

Password: Oracle123 (or any desired password)

Access Server ID: wls_oam1

Host name: fusion

Port number (proxy port): 5575

Select Yes to proceed with automatic update of httpd.conf with webgate parameters. Click Next

Specify the httpd.conf location from the OHS instance directory. You can take a backup of this file in another terminal window if you want. Click Next

Click Next

Click Next

Click Next

Click Next

Click Finish to complete the installation.

Copy the following files to Webgate.

[oracle@fusion bin]$ cp -p /app/fusion/fmw/oam/webgate/access/oblix/lib/ObAccessClient.xml /app/fusion/fmw/oam/webgate/access/oblix/lib/ObAccessClient.xml.bak

[oracle@fusion bin]$ cp -p /app/fusion/admin/IDMDomain/aserver/IDMDomain/output/Webgate_IDM/ObAccessClient.xml /app/fusion/fmw/oam/webgate/access/oblix/lib/

[oracle@fusion Webgate_IDM]$ cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/output/Webgate_IDM

[oracle@fusion Webgate_IDM]$ cp logout.html /app/fusion/fmw/oam/webgate/access/oamsso/

Comment out following lines from /app/fusion/admin/ohs_inst/config/OHS/ohs1/httpd.conf

#<LocationMatch “/oamsso/*”>

#Satisfy any

#</LocationMatch>

Restart HTTP server

This concludes the integration between OIM and OAM.

Next: Creating a New Provisioning Plan

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Creating a New Provisioning Plan

Workarounds to be done before proceeding to provision the environment.

Issue: You may encounter following error during Postconfigure stage of provisioning.

“Either topology server is down or topology app needed for Flex Field artifact generation is down”

Workaround: 

In the provisioning-build/base-fusion-app-build.xml file, change the timeout value for the flex.lck parameter from 1800 seconds to 5400 seconds.
The timeout value for flex.lck parameter should be modified as follows:
<synchronized lockFile=”${provisioning.setup.common.core.locks.path}/flex.lck” timeout=”5400″>

change the waitfor maxwait value from 120 minutes to 300 minutes.
The waitfor maxwait value should be modified as follows:
<waitfor maxwait=”300″ maxwaitunit=”minute” checkevery=”1″ checkeveryunit=”second”>

[oracle@fusion ~]$ cd /app/fusion/provisioning/bin/

[oracle@fusion bin]$
./provisioningWizard.sh -ignoreSysPrereqs true &

Important Note:
Please note that we will use ignoresysPrereqs flag since we need to skip OVD error.

Welcome Screen appears. Click Next

Select “Provision an Applications Environment”. Browse for the plan we created in last step. Click Next

Provide an appropriate name and custom version for your reference. Click Next

Make sure that the directory where we are planning to install Fusion applications is owned by the installation user.

[root@fusion ~]# mkdir /fusion

[root@fusion ~]# chown -R oracle:dba /fusion

Following details will be populated based on the plan you selected. Verify the same.

User Name: weblogic

Password and confirm password: Oracle123 (or one you have selected)

Installation Directory Location: /mnt/fusion

Oracle Fusion Applications Home: /fusion or use any location of your choice

Applications Configuration Directory: <fusion applications home>/instance

Enable local application configuration: Unchecked

Webgate library location: /app/fusion/oam_lib

Default IDM Configuration using IDM properties file: Checked

RDP Password: Oracle123 or whichever you selected

Click Next

If you want to review or modify any of the sections of provisioning plan then you can select then otherwise leave all unchecked and click Next

Summary screen will appear. Click Next to begin preverify phase.

One error will appear. You can safely ignore this. We have confirmed the same with Oracle.

1. OVD : Cannot perform OVD validations as Cannot bind to OVD with URL

Click Next to begin installation phase.

Once installation finishes, click Next to start Preconfigure phase.

Once preconfigure finishes, click Next to start configure phase.

Even though all products configuration is done still you may not see the Next button immediately. Don’t worry it is taking backup of the instance in the background !

At the end of every phase it will create a backup of the instance directory in following folders.

<fusion applications home>/restore/backup_preconfigure

<fusion applications home>/restore/backup_configure

<fusion applications home>/restore/backup_configure-secondary

Etc

Here we go. Once configure phase finishes, click Next to start configure secondary phase. Don’t worry, we know that we have only one node but still this phase is mandatory and it will finish successfully.

Click Next to continue.

Once Postconfigure finishes, click Next to startup the components. [ To be continued..]

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

http://www.oratraining.com/blog/2012/02/configuring-oracle-identity-and-access-management-components/

Oracle Fusion Applications Installation: Configuring Oracle Identity and Access Management components

Previous: Installing Oracle Identity and Access Management Components

Configuring Oracle Identity Management components” can be divided into following tasks.

1. Configuring the Web Tier
2. Create Weblogic Domain for Identity Management
3. Extending the Domain with Oracle Internet Directory
4. Extending the Domain with Oracle Directory Service Manager (ODSM)
5. Extending the Domain with Oracle Virtual Directory
6. Extending the Domain with Oracle Access Manager
7. Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite
8. Installing and Configuring WebGate

Please note that this post is going to be long so allow time to load all images.

Configuring the Web Tier

Start the configuration from <Web_Home>/bin

[oracle@fusion bin]$ cd /app/fusion/bea_default/Oracle_WT1/bin

[oracle@fusion bin]$ ./config.sh

Click Next

Select “Oracle HTTP Server” and click Next

For Instance location enter “/app/fusion/bea_default/instances” since we will keep all instances in this location. Provide any appropriate Instance name and OHS component name. We will go for the defaults. Click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

Now we will copy staticports.ini default file from <repository_location>/installers/webtier/Disk1/stage/Response to home directory /home/oracle

cp /mnt/fusion/installers/webtier/Disk1/stage/Response/staticports.ini ~/staticports.ini

Now click on “View/Edit File” to edit this file.

Uncomment and set the following values. Click Save

OPMN Local Port = 6700

OHS Port = 7777

Click Next

Deselect email notification and click Next

Save summary if needed and click Configure to start configuration.

Important Note: If SELinux is enabled in your Linux operating System then it will throw an error. Since we already disabled it during installation, we will not see that error here.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

It would have already started HTTP server now. We can verify the same.

[oracle@fusion instances]$ ps -ef | grep http

oracle 3521 3491 0 10:06 ? 00:00:00 /app/fusion/bea_default/Oracle_WT1/ohs/bin/httpd.worker -DSSL

oracle 3547 3521 0 10:06 ? 00:00:00 /app/fusion/bea_default/Oracle_WT1/ohs/bin/httpd.worker -DSSL

oracle 3548 3521 0 10:06 ? 00:00:00 /app/fusion/bea_default/Oracle_WT1/ohs/bin/httpd.worker -DSSL

oracle 3549 3521 0 10:06 ? 00:00:00 /app/fusion/bea_default/Oracle_WT1/ohs/bin/httpd.worker -DSSL

Check /app/fusion/bea_default/Oracle_WT1/instances/instance1/config/OHS/ohs1/httpd.conf to make sure it reflects correct user and group name

User oracle

Group oinstall

We can launch http://fusion:7777 (Homepage of Oracle HTTP server) now. It will look as follows.

Create Weblogic Domain for Identity Management

Start the configuration from <Middleware Home>/oracle_common/commin/bin

[oracle@fusion bin]$ /app/fusion/bea_default/oracle_common/common/bin/config.sh

Select “Create a new Weblogic domain” and click Next

Select “Oracle Enterprise Manager – 11.1.1.0 [oracle_common]” and “Oracle JRF – 11.1.1.0 [oracle_common]” and click Next

Enter details as above or accept default values and click Next.

Since it accepts minimum 8 characters set password again to
oracle123. Please note that you can also change username from weblogic but in future whenever we refer to weblogic user you must enter the new user which selected. We will go for default “weblogic” username

You would see option of Oracle JRockit here. So select that JDK in this list.

Select “Administration Server” and “Managed Servers, Clusters and Machines”. Click Next

Keep defaults but make a note of the port since this will be widely used during next part of installation. Click Next

Just click Next

Click Next again

Select Second Tab “Unix Machine” and enter the hostname as above. Click Next

Click on AdminServer and Click right arrow. Click Next

It will now look as above. Click Next

On Summary page click Create

Once installation finishes, click Done

Make sure that the encrypted username and password values are already in boot.properties

[oracle@fusion security]$ more /app/fusion/bea_default/user_projects/domains/IDM_domain/servers/AdminServer/security/boot.properties

# Generated by Configuration Wizard on Mon Jan 23 10:59:07 GST 2012

username={AES}zaXc3+4y2KGuxnK6WkI7ehKcliQDeandkjdTdu0vpuY=

password={AES}WZ6Zo+j6aGoCyE2nQmCCdboEkA8TDGRlagdSqFGRedo=

Set StartScriptEnabled=true in nodemanager.properties by running following script

[oracle@fusion bin]$ cd /app/fusion/bea_default/oracle_common/common/bin

[oracle@fusion bin]$ ./setNMProps.sh

Appending required nodemanager.properties

Verify the change.

[oracle@fusion bin]$ tail -f /app/fusion/bea_default/wlserver_10.3/common/nodemanager/nodemanager.properties

#Required NM Property overrides (append to existing nodemanager.properties)

StartScriptEnabled=true

Start Node manager

[oracle@fusion bin]$ cd /app/fusion/bea_default/wlserver_10.3/server/bin

[oracle@fusion bin]$ nohup ./startNodeManager.sh &

…

IDM_domain -> /app/fusion/bea_default/user_projects/domains/IDM_domain

…

INFO: Secure socket listener started on port 5556

Start Weblogic AdminServer

[oracle@fusion bin]$ nohup
/app/fusion/bea_default/user_projects/domains/IDM_domain/bin/startWebLogic.sh &

tail nohup.out file until it shows following message.

<Jan 23, 2012 11:55:21 AM GST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

Open Weblogic Admin Console

Launch Weblogic Admin console through
http://fusion:7001/console

Login with weblogic/oracle123

Note: Go to preferences and change “automatic acquire lock” settings to avoid accidental changes since we are in development mode.

Configuring HTTP server for the Administration Server

Create a new file admin.conf as follows.

[oracle@fusion moduleconf]$ more /app/fusion/bea_default/Oracle_WT1/instances/instance1/config/OHS/ohs1/moduleconf/admin.conf

<VirtualHost *:7777>

ServerName fusion:7777

ServerAdmin you@your.address

RewriteEngine On

RewriteOptions inherit

RewriteRule ^/console/jsp/common/logout.jsp /oamsso/logout.html [PT]

RewriteRule ^/em/targetauth/emaslogout.jsp /oamsso/logout.html [PT]

# Admin Server and EM

<Location /console>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7001

</Location>

<Location /consolehelp>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7001

</Location>

<Location /em>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7001

</Location>

</VirtualHost>

Restart http server.

ORACLE_HOME=/app/fusion/bea_default/Oracle_WT1

export ORACLE_HOME

ORACLE_INSTANCE=/app/fusion/bea_default/Oracle_WT1/instances/instance1

export ORACLE_INSTANCE

PATH=$ORACLE_HOME/opmn/bin:$PATH

export PATH

 

opmnctl stopall

opmnctl startall

Now we need to Register HTTP server with Weblogic Server so that Enterprise Manager can monitor the instance.

[oracle@fusion ~]$ opmnctl registerinstance -adminHost fusion -adminport 7001 -adminUsername weblogic

Command requires login to weblogic admin server (fusion):

Username: weblogic

Password:

…

Done

Registering instance

Command succeeded.

Note: We will not enable load-balancer access since we have skipped load-balancing in this single node installation guide.

Enable Weblogic Plugin

Log in the Oracle Weblogic Server Administration and click on Lock and Edit. Click on IDMDomain and Click on Configuration tab and then select the Web Applications tab.

Scroll down and enable “Weblogic Plug-in Enabled”.

Click on Save and Activate the Changes.

Restart the Weblogic Administration Server.

Extending the Domain with Oracle Internet Directory

Start the configuration from <IDM Oracle Home/bin

[oracle@fusion bin]$ cd /app/fusion/bea_default/Oracle_IDM1/bin

[oracle@fusion bin]$ ./config.sh &

Click Next

Select “Configure Without A Domain” and click Next

Make sure to select any directory inside MW_HOME/instances. You can accept default for Instance Name. Click Next

Deselect email notification and click Next

Select only “Oracle Internet Directory” and click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

In another terminal window copy the staticports.ini file to home directory.

[oracle@fusion bin]$ cp /app/fusion/provisioning/idm/idm/Disk1/stage/Response/staticports.ini ~/

Click on View/Edit file

VERY IMPORTANT:

As per Oracle Manual we should Change it to as follows.

#The Non-SSL port for OID

Oracle Internet Directory Port No = 389

#The SSL port for OID

Oracle Internet Directory (SSL) Port No = 636

 

But OID fails to configure and start at the end of installation with these values so we will stick to the OID values for 11g in the staticports.ini and just remove the comments.

 

#The Non-SSL port for OID

Oracle Internet Directory Port No = 3060

#The SSL port for OID

Oracle Internet Directory (SSL) Port No = 3061

Click Save

Once saved, click Next

Enter oracle123 or any suitable password. If you are using different passwords then please make a note of all of them. Click Next

Since we are not using any domains as such but as we have added an entry in our hosts file for fusion.localdomain, we will add “dc=localdomain” for Realm. Enter oracle123 or any suitable password. Click Next

Save summary if needed and click Configure to start configuration.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

Validate the OID installation

[oracle@fusion ~]$ export ORACLE_HOME=/app/fusion/bea_default/Oracle_IDM1

[oracle@fusion ~]$ export ORACLE_INSTANCE=/app/fusion/bea_default/instances/oid_inst1

[oracle@fusion ~]$ export PATH=$ORACLE_HOME/opmn/bin:$ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_HOME/ldap/admin:$PATH

[oracle@fusion ~]$ ldapbind -h fusion -p 3060 -D “cn=orcladmin” -q

Please enter bind password:

bind successful

[oracle@fusion ~]$ ldapbind -h fusion -p 3061 -D “cn=orcladmin” -q -U 1

Please enter bind password:

bind successful

[oracle@fusion ~]$ opmnctl status

Processes in Instance: oid_inst1

———————————+——————–+———+———

ias-component | process-type | pid | status

———————————+——————–+———+———

oid1 | oidldapd | 19810 | Alive

oid1 | oidldapd | 19798 | Alive

oid1 | oidmon | 19785 | Alive

EMAGENT | EMAGENT | 19325 | Alive

Registering Oracle Internet Directory with the WebLogic Server Domain

[oracle@fusion ~]$ echo $ORACLE_HOME

/app/fusion/bea_default/Oracle_IDM1

[oracle@fusion ~]$ echo $ORACLE_INSTANCE

/app/fusion/bea_default/instances/oid_inst1

[oracle@fusion ~]$ opmnctl registerinstance -adminHost fusion -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (fusion):

Username: weblogic

Password:

Registering instance

Command succeeded.

Note: We have skipped next steps related to SSL since we are setting up non-SSL connections here.

Update the Enterprise Manager Repository URL

Next we will update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.

[oracle@fusion ~]$ cd /app/fusion/bea_default/instances/oid_inst1/EMAGENT/EMAGENT/bin

[oracle@fusion bin]$ ./emctl switchOMS http://fusion:7001/em/upload

Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0.

Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.

SwitchOMS succeeded.

We can now verify whether this instance is registered for monitoring agent.

Login to http://fusion:7001/em

Click on Farm->Agent monitored targets.

You should be able to see the OID instance under this. Make sure that the Agent URL is showing up fine. If the status shows as “Need Configuration” then click on Configure and then in next screen enter weblogic user credentials. It should now show the correct Agent URL.

Extending the Domain with Oracle Directory Service Manager (ODSM)

Start the configuration from <IDM Oracle Home>/bin

[oracle@fusion bin]$ cd /app/fusion/bea_default/Oracle_IDM1/bin

[oracle@fusion bin]$ ./config.sh &

Click Next

Select “Extend Existing Domain” and enter details of existing weblogic Server and AdminServer port. Click Next

You can ignore this error since we created this domain using the Identity Management installer. Click Yes to ignore.

Verify that the weblogic server directory shown is correct as per previous steps. Specify name and path for Oracle Directory Service instance. Make sure to keep the instance in same parent directory as previous instances. Click Next

Deselect email notification and click Next

Select Oracle “Directory Service Manager” and click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

Meanwhile in another terminal window copy the staticports.ini to home directory.

[oracle@fusion bin]$ cp -p /app/fusion/provisioning/idm/idm/Disk1/stage/Response/staticports.ini ~/

Uncomment the ODS Server Port and keep it default 7006. Click Save.

Once Saved click Next.

Save summary if needed and click Configure to start configuration.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

Password-less startup for ODS

cd /app/fusion/bea_default/user_projects/domains/IDM_domain/servers/wls_ods1/security

cp ../../AdminServer/security/boot.properties .

cd /app/fusion/bea_default/user_projects/domains/IDM_domain/bin

nohup ./startManagedWebLogic.sh wls_ods1

Now you can access ODS homepage at http://fusion:7006/odsm/faces/odsm.jspx (as per the above post-installation summary screen)

Register ODS with OID

Click on Connect to a directory -> Create A New Connection

Enter the details for OID.

Name: fusion-oid

Server: fusion

SSL Enabled: Unchecked

User Name: cn=orcladmin

Password: oracel123

Start Page: Home

Click Connect

Once connection is successful, you should be able to see OID page.

You can randomly check whether you are able to see details of any user, for example cn=orcladmin

Configuring Oracle HTTP Servers to Access the ODSM Console

[oracle@fusion moduleconf]$ cd /app/fusion/bea_default/Oracle_WT1/instances/instance1/config/OHS/ohs1/moduleconf

[oracle@fusion moduleconf]$ vi admin.conf

# Append following lines in admin.conf

<Location /odsm>
SetHandler weblogic-handler
# WebLogicCluster fusion:7006
WebLogicHost fusion
WeblogicPort 7006
</Location>

Note: The reason we have kept commented cluster entries is that in case if you have setup cluster then you can use cluster entry instead of standalone entry.

Restart HTTP server.

Now we can access ODSM through http://fusion:7777/odsm/faces/odsm.jspx

Extending the Domain with Oracle Virtual Directory

Start the configuration from <IDM Oracle Home>/bin

[oracle@fusion ~]$ cd /app/fusion/bea_default/Oracle_IDM1/bin/

[oracle@fusion bin]$ ./config.sh &

Click Next

Select “Configure Without A Domain“. Click Next

Provide values for Oracle Virtual Directory (OVD) instance. You can accept default values. Click Next

Deselect email notification and click Next

Select “Oracle Virtual Directory” and click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

Open a separate terminal/putty window and copy staticports.ini file to home directory.

[oracle@fusion ~]$ cp /app/fusion/provisioning/idm/idm/Disk1/stage/Response/staticports.ini ~/

Click on View/Edit.

Edit the staticports.ini file to assign ports 6501 and 7501, as follows.

# The non-SSL port for Oracle Virtual Directory

Oracle Virtual Directory port = 6501

# The SSL port for Oracle Virtual Directory

Oracle Virtual Directory (SSL) port = 7501

Click Save and then Next

Provide OID login details.

Uncheck “Configure Administrative Server in secure mode” since we are not using SSL anywhere in this installation. Click Next

Click Ok

Save summary if needed and click Configure to start configuration.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

Registering OVD with the Oracle WebLogic Server Domain

[oracle@fusion bin]$ cd /app/fusion/bea_default/instances/ovd_inst1/bin

[oracle@fusion ~]$ export ORACLE_HOME=/app/fusion/bea_default/Oracle_IDM1

[oracle@fusion ~]$ export ORACLE_INSTANCE=/app/fusion/bea_default/instances/ovd_inst1

[oracle@fusion bin]$ ./opmnctl registerinstance -adminHost fusion -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (fusion):

Username: weblogic

Password:

Registering instance

Command succeeded.

Update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag.

The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.

[oracle@fusion bin]$ cd /app/fusion/bea_default/instances/ovd_inst1/EMAGENT/EMAGENT/bin

[oracle@fusion bin]$ ./emctl switchOMS http://fusion:7001/em/upload

Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0.

Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.

SwitchOMS succeeded.

We can now verify whether this instance is registered for monitoring agent.

Login to http://fusion:7001/em

Click on Farm->Agent monitored targets.

You should be able to see the OID and OVD instances under this. Make sure that the Agent URL is showing up fine. If the status shows as “Need Configuration” then click on Configure and then in next screen enter weblogic user credentials. It should now show the correct Agent URL.

Validate the Oracle Virtual Directory Instances

[oracle@fusion ~]$ export ORACLE_HOME=/app/fusion/bea_default/Oracle_IDM1

[oracle@fusion ~]$ export ORACLE_INSTANCE=/app/fusion/bea_default/instances/ovd_inst1

[oracle@fusion ~]$ export PATH=$ORACLE_HOME/opmn/bin:$ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_HOME/ldap/admin:$PATH

[oracle@fusion bin]$ ldapbind -h fusion -p 6501 -D “cn=orcladmin” –q

Please enter bind password:

bind successful

[oracle@fusion bin]$ ldapbind -h fusion -p 7501 -D “cn=orcladmin” -q -U 1

Please enter bind password:

SSL handshake failed

This is fine since we did not configure SSL mode.

Creating ODSM connections to Oracle Virtual Directory

Open http://fusion:7777/odsm/faces/odsm.jspx

Click Connect to a directory -> Create a new connection

Enter details of OVD here.

Name: fusion-ovd

Host: fusion

Port: 8899

SSL Enabled: Unchecked

User Name: cn=orcladmin

Password: oracle123

Start Page: Home

Click Connect

It will display OVD home page.

Note: We are skipping the adapter creation for now. We will create them later once needed.

Extending the Domain with Oracle Access Manager

Start the configuration from <Middleware Home/oracle_common/commin/bin

[oracle@fusion bin]$ cd /app/fusion/bea_default/oracle_common/common/bin

[oracle@fusion bin]$ ./config.sh

Click “Extend an existing WebLogic domain” and click Next

Scroll down and select user_projects->domains->IDM_domain. Click Next

Select only “Oracle Access Manager with Database Policy Store” and click on Next.

Here you need to provide the database connection details and choose schema owner username. You can keep the name default but make sure to keep a note of it since you will need this later. Choose a password for example oracle123. Click Next

Now it will test the database connectivity through JDBC.

Once successful, click Next

Select “Managed Servers, Clusters and Machines” only and click Next

The first row was from previous configuration of ODS and now there will be another row for OAM. Keep the default port and make a note of it. Enter wls_oam1 for the instance name (or whichever you chose while creating instance) and click Next

Just click Next

On the “Machines” tab make sure that correct hostname is entered. Click Next

Select wls_oam1 and click the right arrow.

Now it should look as above. Click Next

On the summary page Click Extend.

Click OK Since we are aware that these are correct ports being used by AdminServer and wls_ods1 instance.

Once configuration finishes, click Done.

You can start the managed server by using following command.

[oracle@fusion bin]$ cd /app/fusion/bea_default/user_projects/domains/IDM_domain/bin

[oracle@fusion bin]$ ./startManagedWebLogic.sh wls_oam1

This will create the directory /app/fusion/bea_default/user_projects/domains/IDM_domain/servers/wls_oam1

Press CTRL+C to stop the process since we will need to configure startup without password prompt.

[oracle@fusion wls_oam1]$ cd /app/fusion/bea_default/user_projects/domains/IDM_domain/servers/wls_oam1

[oracle@fusion wls_oam1]$ cp ../wls_ods1/security/ boot.properties .

Now we can start the managed server without prompting for password.

[oracle@fusion bin]$ cd /app/fusion/bea_default/user_projects/domains/IDM_domain/bin

[oracle@fusion bin]$ nohup ./startManagedWebLogic.sh wls_oam1 &

Configuring Oracle HTTP Servers to Display Login Page and Oracle Access Manager Console

Append following entries in /app/fusion/bea_default/Oracle_WT1/instances/instance1/config/OHS/ohs1/moduleconf/admin.conf

 <Location /oam>

SetHandler weblogic-handler

#WebLogicCluster fusion:14100

WebLogicHost fusion

WeblogicPort 14100

</Location>

 

<Location /oamconsole>

#SetHandler weblogic-handler

WebLogicHost fusion

WebLogicPort 7001

</Location>

Note: The reason we have kept commented cluster entries is that in case if you have setup cluster then you can use cluster entry instead of standalone entry.

Restart HTTP Server to bring this to effect.

Note: There are few other steps as well as per Oracle documentation but we will skip them for now.

Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite

Start the configuration from <Middleware Home/oracle_common/common/bin

[oracle@fusion bin]$ cd /app/fusion/bea_default/oracle_common/common/bin

[oracle@fusion bin]$ ./config.sh &

Select “Extend an existing WebLogic domain” and click Next

Scroll down and select user_projects->domains->IDM_domain and click Next

Select Oracle Identity Manager. It will automatically select Oracle SOA Suite and Oracle WSM. Click Next

Check all to modify all entries together. Provide database connect details and select a password for all. Accept default value for Schema owner names. Click Next

Now it will test the database connectivity through JDBC.

Once JDBC test is successful, click Next

Select only “Managed Servers, Clusters and Machines” and click Next

Add entries for soa_server1 and oim_server1. As per Oracle documentation you can change them to wls_soa1 and wls_oim1 as well. But here we have kept them as default.

Note the ports and click Next.

Just click Next

Since we are using Linux/Unix machine, delete entry from above screen. And proceed to Unix Machine tab.

Make sure correct hostname is entered here. Click Next

Select oim_server1 and soa_server1 and click right arrow. (if you had renamed them to wls_oim1 and wls_soa1 then you will see those entries instead of this)

The screen will now look like above. Click Next

On Summary screen click Next

Click OK

Once configuration finishes, click Done

Configuring Oracle Identity Manager

Now we will configure the Identity Manager from <IAM Oracle Home>/bin

[oracle@fusion bin]$ cd /app/fusion/bea_default/Oracle_IAM/bin

[oracle@fusion bin]$ ./config.sh &

Click Next

Select only OIM Server and click Next

Enter database details in shown format “fusion:1521:fusiondb“. Select Schema names (keep default) and enter password (oracle123). Make sure to keep a note of these schema names DEV_OIM and DEV_MDS. We will need these later during provisioning plan. Click Next

Enter AdminServer details in t3://<hostname>:<port> format. Here t3://fusion:7001

Important Note: Before clicking next make sure that AdminServer is running otherwise it may throw following error on next page. Start or restart AdminServer if you see this error.

INST-6180: Error while retrieving OIM Managed Server URL from the domain.

Click Next

Enter passwords as follows and keep a note of them since we will require them in provisioning wizard.

OIM Admin password: Oracle123

Keystore Password: oracle123

Enter OIM HTTP URL as http://fusion:14000 (based on port value in previous configuration step). Click Next

Deselect both and click Next

Save the summary if required and click Configure.

Once configuration finishes click Next

Save the configuration summary if needed and click Finish to complete the configuration.

Configuring Oracle HTTP Servers for Oracle Identity Manager and SOA

Append following entries in /app/fusion/bea_default/Oracle_WT1/instances/instance1/config/OHS/ohs1/moduleconf/admin.conf

# oim admin console(idmshell based)
<Location /admin>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster fusion:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# oim self and advanced admin webapp consoles(canonic webapp)
<Location /oim>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# SOA Callback webservice for SOD – Provide the SOA Managed Server Ports
<Location /sodcheck>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster soavhn1:8001,soavhn2:8001
WebLogicHost fusion
WebLogicPort 8001
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
<Location /workflowservice>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# xlWebApp – Legacy 9.x webapp (struts based)
<Location /xlWebApp>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# Nexaweb WebApp – used for workflow designer and DM
<Location /Nexaweb>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# used for FA Callback service.
<Location /callbackResponseService>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
# spml xsd profile
<Location /spml-xsd>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>
<Location /HTTPClnt>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WLCookieName oimjsessionid
#WebLogicCluster oimvhn1:14000,oimvhn2:14000
WebLogicHost fusion
WebLogicPort 14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”
</Location>

Note: The reason we have kept commented cluster entries is that in case if you have setup cluster then you can use cluster entry instead of standalone entry.

Restart HTTP Server to bring this to effect.

Installing and Configuring WebGate

Start Webgate 10g installation from <repository_location>/installers/webgate

[oracle@fusion webgate]$ cd /mnt/fusion/installers/webgate

[oracle@fusion webgate]$ ./Oracle_Access_Manager10_1_4_3_0_linux64_OHS11g_WebGate –gui

Click Next

Enter the OS oracle user details. Click Next

Select a path where you want to install webgate. We have selected /app/fusion/webgate. Click Next

Click Next

Open a new terminal/putty window and execute following commands. Once done enter the location /app/fusion/oam_lib in this screen and click Next to start the installation.

[oracle@fusion oam_lib]$ mkdir /app/fusion/oam_lib

[oracle@fusion oam_lib]$ ln -s /usr/lib64/libstdc++.so.5 /app/fusion/oam_lib/libstdc++.so.5

[oracle@fusion oam_lib]$ ln -s /lib64/libgcc_s.so.1 /app/fusion/oam_lib/libgcc_s.so.1

Now WebGate Configuration will start. Select “Open Mode” and click Next

Since this screen requires WebGate ID from Access Manager. We need to first create a Webgate Agent in Access Manager. So keep this Java window open and open Oracle Access Manager Console in browser by entering http://fusion/oamconsole or http://fusion:7777/oamconsole

Note: We could have done this before starting Webgate installation as well but keeping it here in the guide gives you an idea where we are going to this configuration. Next time when you install, you can do this step before itself.

Login with weblogic admin user.

Once logged under SSO Agents, click on New “OAM 10g Webgate” (since we are installing 10g webgate).

Enter name: Webgate_sso or any name

Base URL: http://fusion:7777

Host Identifier: Webgate_sso

Security: Open

Uncheck all 3 options on right.

Click Apply

Now Edit the same Webgate Agent again. It will show following screen.

We did not put domain since we are using only http://fusion

Change Max Connections to 4

Logout URL: Enter following values.

/oamconsole/logout.html

/console/jsp/common/logout.jsp

/em/targetauth/eamlogout.jsp

Click Apply

Once webgate Agent is created in OAM, go back to the already open configuration window and enter following details and click Next to finish the configuration. In case if the configuration window was closed, you can also launch the configuration from command prompt.

[oracle@fusion webgate]$ /app/fusion/webgate/access/oblix/tools/configureWebGate/start_configureWebGate -i /app/fusion/webgate/access -t WebGate

Please enter the Mode in which you want the Web Gate to run : 1(Open) 2(Simple) 3(Cert) : 1

Please enter the Web Gate ID : Webgate_sso

Please enter the Password for this Web Gate : <enter oracle123 or any password here. Make note of it>

Please enter the Access Server ID : wls_oam1

Please enter the Access Server Host Machine Name : fusion

Please enter the Access Server Port : 5575

Preparing to connect to Access Server. Please wait.

Web Gate installed Successfully.

Press enter key to continue …

As per Oracle documentation there are a few steps to use the Webgate and validate but we will skip them for now.

Next step is to prepare Identity and Policy Stores by creating necessary users and groups for provisioning Fusion Applications.

Next: Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Running Repository Creation Utility (RCU) for Oracle Identity Management components

Installing Orace JRockit JDK

Installation of JRockit is very simple. Just unzip the file located at <repository_location>/installers/jdk to any location where we want to extract the JDK files.

We will extract the files at /app/fusion and it will create /app/fusion/jdk6 directory. So we can set JAVA_HOME to /app/fusion/jdk6

cd /app/fusion

unzip /mnt/fusion/installers/jdk/jdk6.zip

Installing Oracle HTTP Server 11.1.1.2.0

We will install Oracle HTTP Server 11.1.1.2.0. Next we will patch it to 11.1.1.5.0 to bring it to the required level for Fusion Applications 11.1.1.5.0

Start the installation by executing runInstaller from <repository_location>/installers/webtier/Disk1

[oracle@fusion Disk1]$ /mnt/fusion/installers/webtier/Disk1/runInstaller &

Click Next

Select “Install Software – Do Not Configure“. This is because we will configure all components later in next section. Click Next

This screen will check for prerequisites. Click Next once completed.

Provide the path for Oracle Middleware Home. Please note that this will be the parent directory for all other Oracle Homes and instances. This is generally called MW_HOME.

Provide details as above and Click Next

Deselect Email Notifications and click Next

Save the Summary if required. Click Install to begin the installation.

Once installation is finished click Next

Save installation summary if required. Click Finish to complete the installation of Oracle HTTP Server.

Install HTTP Server Patch 11.1.1.5.0

Start the installation by executing runInstaller from <repository_location>/installers/webtier_patchset/Disk1

[oracle@fusion webtier_patchset]$ /mnt/fusion/installers/webtier_patchset/Disk1/runInstaller &

Click Next

Since we are installing the patch, the above details must be same as previous steps in order to apply patch on already installed Web Home. Click Next

Deselect email notification and click Next

Save the summary if required and click Install to begin the patch installation.

Click Next once installation is finished.

Save the installation summary if needed. Click Finish to complete the patch installation.

Install Weblogic Server 10.3.5

Start the installation by executing following java command
from <repository_location>/installers/weblogic

[oracle@fusion weblogic]$ cd /mnt/fusion/installers/weblogic

[oracle@fusion weblogic]$ java -d64 -jar wls_generic.jar

Click Next

Select “Create a new Middleware Home” and make sure that the correct MW_HOME directory (as selected in HTTP server installation) is selected. Click Next

Click Yes

Deselect email notifications and Click Next

Select Typical and click Next

It will display the list of local JDK already available. Since I had not yet unzipped Oracle JRockit yet, this screen does not show that. For you it will display the new JDK. Select it and click Next

Enter directories values as above and click Next

Click Next on the summary page.

Deselect Quickstart and click Done once installation finishes.

Install Oracle Identity Management 11.1.1.2

We will first install Oracle Identity Management 11.1.1.2 and later patch it to required version 11.1.1.5

We need to first unzip the installation files from <repository_location>/installers/idm directory.

[oracle@fusion provisioning]$ mkdir /app/fusion/provisioning/idm

[oracle@fusion provisioning]$ cd /app/fusion/provisioning/idm

[oracle@fusion idm]$ unzip /mnt/fusion/installers/idm/idm.zip

Start the installation by executing runInstaller from <provisioning_repository>/idm/idm/Disk1

[oracle@fusion Disk1]$ cd /app/fusion/provisioning/idm/idm/Disk1

[oracle@fusion Disk1]$ ./runInstaller

Click Next

Select “Install Software – Do Not Configure” since we will be configuring all components later. Click Next

Click Next once prerequisite checks finish successfully.

Make sure to keep same Middleware Home as earlier installations. Select Appropriate name for IDM Home directory. You can keep it unchanged and click Next

Deselect email notifications and click Next

Save summary if needed. Click Install to begin installation.

Once installation is finished click Next

It will prompt us to run /app/fusion/fmw/idm/oracleRoot.sh script as root user. Login in another terminal window as root user and run the script. Press OK once script is exected.

[root@fusion ~]# /app/fusion/fmw/idm/oracleRoot.sh

Save Installation summary if needed. Click Finish to complete the installation.

Install Identity management 11.1.1.5 patchset

We need to first unzip the installation files from <repository_location>/installers/idm directory.

[oracle@fusion idmpatchset]$ cd /app/fusion/provisioning/idm/idmpatchset

[oracle@fusion idmpatchset]$ unzip /mnt/fusion/installers/idm/idm_patchset.zip

Start the installation by executing runInstaller from <provisioning_repository>/idm/idmpatchset/idm_patchset/Disk1 directory

[oracle@fusion Disk1]$ cd /app/fusion/provisioning/idm/idmpatchset/idm_patchset/Disk1

[oracle@fusion Disk1]$ ./runInstaller

Click Next

Since we are installing patchset on existing Home keep the values same as previous step. Click Next

Deselect Email Notifications and click Next

Save summary if needed. Click Install to begin installation.

Once installation is finished click Next

It will prompt us to run /app/fusion/fmw/idm/oracleRoot.sh script as root user. Login in another terminal window as root user and run the script. Press OK once script is exected.

[root@fusion ~]# /app/fusion/fmw/idm/oracleRoot.sh

Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)

yes

User selected for running OIDRoot.sh

/app/fusion/fmw/idm

Finished root actions for OID

Save installation summary if required. Click Finish to complete the installation.

Installation of SOA suite 11.1.1.5

Start the installation by executing runInstaller from <repository_location>/installers/soa/Disk1

[oracle@fusion Disk1]$ cd /mnt/fusion/installers/soa/Disk1

[oracle@fusion Disk1]$ ./runInstaller

…

Please specify JRE/JDK location ( Ex. /home/jre ), <location>/bin/java should exist :/app/fusion/jdk6

Click Next

Select “Skip Software Updates” and click Next

This screen will check for prerequisites. Click Next once completed.

Enter values as above and click Next

Select “Weblogic Server” and click Next

Save summary if needed. Click Install to begin installation.

Once installation is finished click Next

Save installation summary if required. Click Finish to complete the installation.

Install Oracle Identity and Access Management 11.1.1.5

We need to first unzip the installation files from <repository_location>/installers/oam directory.

[oracle@fusion oam]$ cd /app/fusion/provisioning/oam

[oracle@fusion oam]$ unzip /mnt/fusion/installers/oam/iamsuite1.zip

[oracle@fusion oam]$ unzip /mnt/fusion/installers/oam/iamsuite2.zip

[oracle@fusion oam]$ unzip /mnt/fusion/installers/oam/iamsuite3.zip

[oracle@fusion oam]$ unzip /mnt/fusion/installers/oam/iamsuite4.zip

Start the installation by executing runInstaller from <provisioning_repository>/oam/iamsuite/Disk1

[oracle@fusion Disk1]$ cd /app/fusion/provisioning/oam/iamsuite/Disk1

[oracle@fusion Disk1]$ ./runInstaller

Click Next

Select “Skip Software Updates” and click Next

This screen will check for prerequisites. Click Next once completed.

Enter the values as above and click Next

Save summary if needed. Click Install to begin installation.

Once installation is finished click Next

Save installation summary if required. Click Finish to complete the installation.

Provisioning the OIM Login Modules Under the WebLogic Server Library Directory

Due to issues with versions of the configuration wizard, some environmental variables are not added to the DOMAIN_HOME/bin/setDomainenv.sh script. This causes certain install sequences to fail. This is a temporary workaround for that problem.

1. Copy the OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar and

oimsignaturembean.jar files located under the IAM_ORACLE_HOME/server/loginmodule/wls directory to the MW_HOME/wlserver_10.3/server/lib/mbeantypes directory.

[oracle@fusion Disk1]$ cp -p /app/fusion/fmw/iam/server/loginmodule/wls/* /app/fusion/fmw/wlserver_10.3/server/lib/mbeantypes/

2. Change directory to MW_HOME/wlserver_10.3/server/lib/mbeantypes/

[oracle@fusion Disk1]$ cd /app/fusion/fmw/wlserver_10.3/server/lib/mbeantypes/

3. Change the permissions on these files to 750 by using the chmod command.

[oracle@fusion mbeantypes]$ chmod 750 *

Creating the wlfullclient.jar File

Oracle Identity Manager uses the wlfullclient.jar library for certain operations. Oracle does not ship this library, so you must create this library manually. We will see mention of this during provisioning.

[oracle@fusion lib]$ cd /app/fusion/fmw/wlserver_10.3/server/lib

[oracle@fusion lib]$ java -jar wljarbuilder.jar

..

[oracle@fusion lib]$ ls -l wlfullclient.jar

-rw-r–r– 1 oracle oinstall 59480532 Jan 23 09:21 wlfullclient.jar

This concludes Installation of Oracle Identity and Access Management components required for Fusion Applications. Next we will configure these components.

Next: Configuring Oracle Identity and Access Management components

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Configuring Oracle Identity and Access Management components

Now we will prepare the Identity and Policy stores which will create the necessary users, groups etc. This will also generate a file called idmDomainConfig.param which we need to specify while creating a provisioning plan. This will automatically populate some of the required fields during the provisioning plan creation.

Important Note: Please make sure to run all these commands from same location since these commands will create/append into a file named idmDomainConfig.param in same directory. Running these commands from same directory will ensure that all the contents is appended into single file.

Change the directory to <IAM_ORACLE_HOME>/idmtools/bin. And export the required environment variables.

[oracle@fusion bin]$ cd /app/fusion/bea_default/Oracle_IAM/idmtools/bin

[oracle@fusion bin]$ export IDM_HOME=/app/fusion/bea_default/Oracle_IDM1

[oracle@fusion bin]$ export ORACLE_HOME=/app/fusion/bea_default/Oracle_IAM

[oracle@fusion bin]$ export MW_HOME=/app/fusion/bea_default

[oracle@fusion bin]$ export JAVA_HOME=/app/fusion/jdk6

Now create a file named policystore.props with following contents.

[oracle@fusion bin]$ more policystore.props

POLICYSTORE_HOST : fusion

POLICYSTORE_PORT : 3060

POLICYSTORE_BINDDN: cn=orcladmin

POLICYSTORE_READONLYUSER: PolicyROUser

POLICYSTORE_READWRITEUSER: PolicyRWUser

POLICYSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_CONTAINER: cn=jpsroot

Now run idmConfigTool.sh to configure the Policy store based on the above input file. Enter a password of choice whenever prompted. We will stick to “oracle123″ for now.

[oracle@fusion bin]$ ./idmConfigTool.sh -configPolicyStore input_file=policystore.props

Enter Policy Store Bind DN password :

…

Enter User Password for PolicyROUser:

Confirm User Password for PolicyROUser:

…

Enter User Password for PolicyRWUser:

Confirm User Password for PolicyRWUser:

…

The tool has completed its operation. Details have been logged to automation.log

Whenever you run this tool, it will append log to automation.log in same directory. You can check the same as follows.

[oracle@fusion bin]$ ls -ltr

total 60

-rwxr-x— 1 oracle oinstall 1169 Dec 2 2010 appidtool.sh

-rwxr-x— 1 oracle oinstall 1139 Dec 2 2010 appidtool.bat

-rwxr-x— 1 oracle oinstall 1593 Mar 28 2011 orclTenantManager.sh

-rwxr-x— 1 oracle oinstall 2287 May 2 2011 orclTenantManager.bat

-rwxr-x— 1 oracle oinstall 3005 May 3 2011 idmConfigTool.sh

-rwxr-x— 1 oracle oinstall 3096 May 3 2011 idmConfigTool.bat

-rw-r–r– 1 oracle oinstall 235 Jan 25 21:21 policystore.props

-rw-r—– 1 oracle oinstall 154 Jan 25 21:23 idmDomainConfig.param

-rw-r–r– 1 oracle oinstall 1497 Jan 25 21:23 automation.log

As you can see it has created 2 files. idmDomainConfig.param and automation.log

Next we need to re-associate the policy store. Follow the steps below for the same.

[oracle@fusion bin]$ cd /app/fusion/bea_default/ocracle_common/common/bin/

[oracle@fusion bin]$ ./wlst.sh

…

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

This will take you to a prompt which looks as follows. Enter following command to connect to the weblogic AdminServer.

wls:/offline>
connect(“weblogic”,’ “oracle123″,”t3://fusion:7001″)

Connecting to t3://fusion:7001 with userid weblogic …

Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDM_domain’.

Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.

Once connected run the following reassociateSecurityStore command. reassociateSecurityStore(domain=”IDMDomain”, admin=”cn=orcladmin”,password=”oracle123″, ldapurl=”ldap://fusion:3060″, servertype=”OID”,jpsroot=”cn=jpsroot”)

wls:/IDM_domain/serverConfig> reassociateSecurityStore(domain=”IDMDomain”,admin=”cn=orcladmin”,password=”oracle123″,ldapurl=”ldap://fusion:3060″,servertype=”OID”,jpsroot=”cn=jpsroot”)

Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.

For more help, use help(domainRuntime)

Starting policy store reassociation.

…

Jps Configuration has been changed. Please restart the application server.

Enter the command “exit()” to quit the tool now.

wls:/IDM_domain/serverConfig> exit()

Exiting WebLogic Scripting Tool.

Now restart the Weblogic Server. We will use the shell scripts which we have created to start/stop weblogic. You can do this manually as well.

[oracle@fusion bin]$ ~/scripts/stopwls.sh

Stopping Weblogic Server

…

Shutting down the server AdminServer with force=false while connected to AdminServer …

..

Stopping Derby Server…

[oracle@fusion bin]$ ~/scripts/startwls.sh

Starting Weblogic Server

Again change the directory to <IAM_ORACLE_HOME>/idmtools/bin and create a file named extend.props with following contents.

[oracle@fusion bin]$ cd /app/fusion/bea_default/ocracle_common/common/bin/

[oracle@fusion bin]$ more extend.props

IDSTORE_HOST : fusion

IDSTORE_PORT : 3060

IDSTORE_BINDDN : cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

IDSTORE_SYSTEMIDBASE: cn=systemids,dc=localdomain

Make sure that all required environment variables are already set. No need to set again if you are in the same terminal/putty window.

[oracle@fusion bin]$ echo $IDM_HOME

/app/fusion/bea_default/Oracle_IDM1

[oracle@fusion bin]$ echo $ORACLE_HOME

/app/fusion/bea_default/Oracle_IAM

Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123″ for now.

[oracle@fusion bin]$ ./idmConfigTool.sh -preConfigIDStore input_file=extend.props

Enter ID Store Bind DN password :

…

The tool has completed its operation. Details have been logged to automation.log

Now create a file named oam.props with following contents.

[oracle@fusion bin]$ more oam.props

IDSTORE_HOST : fusion

IDSTORE_PORT : 3060

IDSTORE_BINDDN : cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_SHARES_IDSTORE: true

OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators

IDSTORE_OAMSOFTWAREUSER:oamLDAP

IDSTORE_OAMADMINUSER:oamadmin

Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123″ for now.

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=OAM input_file=oam.props

Enter ID Store Bind DN password :

…

Enter User Password for oblixanonymous:

Confirm User Password for oblixanonymous:

…

Enter User Password for oamadmin:

Confirm User Password for oamadmin:

…

Enter User Password for oamLDAP:

Confirm User Password for oamLDAP:

…

The tool has completed its operation. Details have been logged to automation.log

Now create a file named oim.props with following contents.

[oracle@fusion bin]$ more oim.props

IDSTORE_HOST : fusion

IDSTORE_PORT : 3060

IDSTORE_BINDDN : cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE:cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_SHARES_IDSTORE: true

IDSTORE_SYSTEMIDBASE: cn=systemids,dc=localdomain

IDSTORE_OIMADMINUSER: oimadmin

IDSTORE_OIMADMINGROUP:OIMAdministrators

Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123″ for now.

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props

Enter ID Store Bind DN password :

…

Enter User Password for oimadmin:

Confirm User Password for oimadmin:

…

Enter User Password for xelsysadm:

Confirm User Password for xelsysadm:

The tool has completed its operation. Details have been logged to automation.log

Now create a file named lwls.props with following contents.

[oracle@fusion bin]$ more lwls.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users, dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_SHARES_IDSTORE: true

Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123″ for now.

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=WLS input_file=wls.props

Enter ID Store Bind DN password :

…

Enter User Password for weblogic_idm:

Confirm User Password for weblogic_idm:

…

The tool has completed its operation. Details have been logged to automation.log

Now create a file named fusion.props with following contents.

[oracle@fusion bin]$ more fusion.props

IDSTORE_HOST : fusion

IDSTORE_PORT : 3060

IDSTORE_BINDDN : cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_READONLYUSER: IDROUser

IDSTORE_READWRITEUSER: IDRWUser

IDSTORE_USERSEARCHBASE:cn=Users,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SUPERUSER: weblogic_fa

POLICYSTORE_SHARES_IDSTORE: true

Again run idmConfigTool.sh Enter a password of choice whenever prompted. We will stick to “oracle123″ for now.

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=fusion input_file=fusion.props

Enter ID Store Bind DN password :

…

Enter User Password for IDROUser:

Confirm User Password for IDROUser:

…

Enter User Password for IDRWUser:

Confirm User Password for IDRWUser:

…

Enter User Password for weblogic_fa:

Confirm User Password for weblogic_fa:

…

The tool has completed its operation. Details have been logged to automation.log

This concludes the preparation of Identity and Policy stores for the Fusion Applications Installation.

Next: Creating a New Provisioning Plan

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Preparing Identity and Policy Stores
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)

In order to create a new fusion applications provisioning plan we should launch the provisioning wizard again from <framework_location>/provisioning/bin

<framework_location> is same what we mentioned in previous post. i.e. /app/fusion

[oracle@fusion $ cd /app/fusion/provisioning/bin

[oracle@fusion bin]$ ./provisioningWizard.sh &

On Welcome screen, click Next

Select “Create a New Applications Environment Provisioning Plan” and click Next

Deselect Security updates notification and click Next

Please note that in Fusion Applications each Applications will include multiple Weblogic Managed Servers, admin servers etc and since our Virtual Machine is not having sufficient capacity to host all these applications, we selected “Oracle Human Capital Management”. You can select any product which you wish to configure first. Click Details to see the topology details for the selected module.

Click Close and then Next on configurations screen.

In this screen provide any name to this provisioning plan. Click Next

Since we entered “weblogic” as Node Manager login earlier, provide its password Oracle123

Installers Directory Location: The stage or repository location. In our case /mnt/fusion

Oracle Fusion Applications Home: Provide base location for the installation. /fusion (or whichever directory you choose)

Enter /fusion/instance for Application Configuration Directory.

As we have noted the location for Webgate Library earlier in Previous post, enter /app/fusion/oam_lib

We had created IDM Properties file /app/fusion/bea_default/Oracle_IAM/idmtools/bin/idmDomainConfig.param in previous post.

RDP Password: oracle123

Click Next

Since we already have services running on some of above ports (for example 7001 etc), change the base port to some other value for example 12000. The reason we chose 12000 is that as per Oracle release notes the above port ranges should not overlap with 11020. You can even manually skip that port. Change Node Manager port to 5557. Click Next

Enter database details in this screen. Click Next

Enter same password. Lets’ keep Oracle123 again J

This will only accept earlier entered ODI Supervisor password. In our case, nothing to worry since we have all passwords as Oracle123

Password: Oracle123 (here it validates this password)

We are going to have single host for all domains. Enter our hostname “fusion” and click Next

Deselect DMZ, enter host as fusion, domain as fusion.local. Click Next

Review above and change if desired. Click Next

Since we are going to have the simplest installation, deselect Load Balancing. Click Next

Deselect Proxy. Click Next

Entered following values only, remaining were populated from idmDomainConfig.param file

Super User Name: weblogic_fa

“Create Administrators Group”, “Create Monitors Group”, “Create Operators Group”: Checked 

Entered Oracle123 in both password fields

“Identity Store Enabled SSL”, “OIM Endpoint Enabled SSL”: Unchecked

OIM Administrator User Name: We will use webglogic_idm username for provisioning. OIM Administrator login xelsysadm or oimadmin will not be used for provisioning.

OIM Administrator Password: Oracle123

OIM Managed Server port: 14000

OIM Endpoint Host: fusion (this is because we did not configure load balancing)

OIM Endpoint Port: 7777

IDM Keystore file: Create a dummy file anywhere on Linux and enter its path here.

[oracle@fusion]$ touch /app/fusion/provisioining/dummy

IDM KeyStore Password: Enter any value since this is not used for non SSL setup.

OAM Administrator User Name: oamadmin

OAM Administrator Password: Oracle123 (as defined earlier)

OAM AAA Server Host: fusion

OAM AAA Server Port: 5575 (Default and also defined earlier)

Access Server Identifier: wls_oam1

Secondary OAM: Unchecked

OAM Security Mode: Open

Webgate password: Oracle123 (as entered earlier in previous post)

OPSS Policy Store Password: Oracle123

OPSS Policy Store JPS Root Node: cn=FAPolicies (though you can choose any name but we will go with Oracle recommendation)

Create OPSS Policy Store JPS Root Node: Checked

OPSS Policy Store SSL Enabled: Unchecked 

Remaining fields already poputed due to idmDomainConfig.param file. Click Next

Enter Database Details. Also enter DEV_MDS and password Oracle123 (defined earlier during installation in previous post). Click Next

Click Finish to complete creating the plan.

Next: Provisioning an Applications Environment

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Installing Oracle Identity and Access Management Components

Configuring Oracle Identity Management components” can be divided into following tasks. Please note that we will not configure Oracle Virtual Directory, Oracle Identity Federation etc.

1. Configuring the Web Tier
2. Create Weblogic Domain for Identity Management
3. Extending the Domain with Oracle Internet Directory
4. Extending the Domain with Oracle Directory Service Manager (ODSM)
5. Extending the Domain with Oracle Access Manager
6. Preparing Identity and Policy Stores
7. Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite

Configuring the Web Tier

Start the configuration from <Web_Home>/bin

[oracle@fusion web]$ cd /app/fusion/fmw/web/bin/

[oracle@fusion bin]$ ./config.sh &

Click Next

Select “Oracle HTTP Server” and click Next

For Instance location enter “/app/fusion/admin/ohs_inst1” since we will keep all instances in this location. Provide any appropriate Instance name and OHS component name. We will go for the defaults. Click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

Now we will copy staticports.ini default file from <repository_location>/installers/webtier/Disk1/stage/Response to home directory /home/oracle

cp /mnt/fusion/installers/webtier/Disk1/stage/Response/staticports.ini ~/staticports.ini

Now click on “View/Edit File” to edit this file.

Uncomment and set the following values. Click Save

OPMN Local Port = 6700

OHS Port = 7777

Deselect email notification and click Next

Save summary if needed and click Configure to start configuration.

Important Note: If SELinux is enabled in your Linux operating System then it will throw an error. Since we already disabled it during installation, we will not see that error here.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

It would have already started HTTP server now. We can verify the same.

[oracle@fusion instances]$ ps -ef | grep http

oracle 3521 3491 0 10:06 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

oracle 3547 3521 0 10:06 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

oracle 3548 3521 0 10:06 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL

oracle 3549 3521 0 10:06 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker –DSSL

Check /app/fusion/admin/ohs_inst1/config/OHS/ohs1/httpd.conf to make sure it reflects correct user and group name

User oracle

Group oinstall

We can launch http://fusion:7777 (Homepage of Oracle HTTP server) now. It will look as follows.

Create Weblogic Domain for Identity Management

Start the configuration from <Middleware Home>/oracle_common/commin/bin

[oracle@fusion bin]$ cd /app/fusion/fmw/oracle_common/common/bin/

[oracle@fusion bin]$ ./config.sh &

Select “Create a new Weblogic domain” and click Next

Select “Oracle Enterprise Manager – 11.1.1.0 [oracle_common]” and “Oracle JRF – 11.1.1.0 [oracle_common]” and click Next

Enter details as above and click Next.

Domain Name: IDMDomain

Domain Location: /app/fusion/admin/IDMDomain/aserver
Application location: /app/fusion/admin/IDMDomain/aserver/applications

Since it accepts minimum 8 characters set password again to Oracle123. Please note that you can also change username from weblogic but we will go for default “weblogic” username. As informed earlier we will use Oracle123 as password for all steps.

You would see option of Oracle JRockit here. So select that JDK in this list.

Select “Administration Server” and “Managed Servers, Clusters and Machines”. Click Next

Keep defaults but make a note of the port since this will be widely used during next part of installation. Click Next

Just click Next

Click Next again

Select Second Tab “Unix Machine” and enter the hostname as above. Click Next

Click on AdminServer and Click right arrow. Click Next

It will now look as above. Click Next

On Summary page click Create

Once installation finishes, click Done

Make sure that the encrypted username and password values are already in boot.properties

[oracle@fusion security]$ more /app/fusion/bea_default/user_projects/domains/IDM_domain/servers/AdminServer/security/boot.properties

# Generated by Configuration Wizard on Mon Jan 23 10:59:07 GST 2012

username={AES}zaXc3+4y2KGuxnK6WkI7ehKcliQDeandkjdTdu0vpuY=

password={AES}WZ6Zo+j6aGoCyE2nQmCCdboEkA8TDGRlagdSqFGRedo=

If you don’t have the boot.properties file or security folder present then create one as follows.

[oracle@fusion fusion]$ mkdir -p /app/fusion/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security

[oracle@fusion security]$ cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security

[oracle@fusion security]$ cat boot.properties

username=weblogic

password=Oracle123

Next time when you restart Admin server it will encrypt the username and password automatically.

Start Node manager

[oracle@fusion security]$ cd /app/fusion/fmw/wlserver_10.3/server/bin/

[oracle@fusion bin]$ ./startNodeManager.sh &

Set StartScriptEnabled=true in nodemanager.properties by running following script

[oracle@fusion bin]$ cd /app/fusion/fmw/oracle_common/common/bin

[oracle@fusion bin]$ ./setNMProps.sh

Appending required nodemanager.properties

Verify the change.

[oracle@fusion bin]$ tail -f /app/fusion/bea_default/wlserver_10.3/common/nodemanager/nodemanager.properties

#Required NM Property overrides (append to existing nodemanager.properties)

StartScriptEnabled=true

Kill node manager script. Start Node Manager again as follows.

[oracle@fusion bin]$ nohup ./startNodeManager.sh &

The log file should show following entries to confirm that Node manager came up successfully.

IDM_domain -> /app/fusion/bea_default/user_projects/domains/IDM_domain

…

INFO: Secure socket listener started on port 5556

Start Weblogic AdminServer

[oracle@fusion bin]$ nohup
/app/fusion/bea_default/user_projects/domains/IDM_domain/bin/startWebLogic.sh &

tail nohup.out file until it shows following message.

<Jan 23, 2012 11:55:21 AM GST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

Open Weblogic Admin Console

Launch Weblogic Admin console through
http://fusion:7001/console

Login with weblogic/Oracle123


Note: Go to preferences and change “automatic acquire lock” settings to avoid accidental changes.

Configuring HTTP server for the Administration Server

Create a new file admin.conf as follows.

[oracle@fusion moduleconf]$ more /app/fusion/admin/ohs_inst1/config/OHS/ohs1/moduleconf/admin.conf

# Admin Server and EM

<Location /console>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7001

</Location>

 

<Location /consolehelp>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7001

</Location>

 

<Location /em>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7001

</Location>

Restart http server as follows.

ORACLE_HOME=/app/fusion/fmw/web

export ORACLE_HOME

ORACLE_INSTANCE=/app/fusion/admin/ohs_inst1

export ORACLE_INSTANCE

PATH=$ORACLE_HOME/opmn/bin:$PATH

export PATH

opmnctl stopall

opmnctl startall

Register HTTP server with Weblogic Server

Now we need to Register HTTP server with Weblogic Server so that Enterprise Manager can monitor the instance.

[oracle@fusion ~]$ opmnctl registerinstance -adminHost fusion -adminport 7001 -adminUsername weblogic

Command requires login to weblogic admin server (fusion):

Username: weblogic

Password:

…

Done

Registering instance

Command succeeded.

Note: We will not enable load-balancer access since we have skipped load-balancing in this single node installation guide.

Enable Weblogic Plugin

Log in the Oracle Weblogic Server Administration and click on Lock and Edit. Click on IDMDomain and Click on Configuration tab and then select the Web Applications tab.

Scroll down and enable “Weblogic Plug-in Enabled”.

Click on Save and Activate the Changes.

Restart the Weblogic Administration Server.

Check Enterprise Manager by launching http://fusion/em

Login with weblogic/<password>

Since we are using web server port for launching all pages, we need to change the frontend host and port to the one used by web server.

Login to Weblogic Admin console.

In the preferences link on the top, shared preferences->deselect Follow Configuration Changes.

Click Lock and Edit. Select Servers->AdminServer. In the protocols tab click on HTTP and change the following values. Now click on Activate changes.

Extending the Domain with Oracle Internet Directory

Start the configuration from <IDM Oracle Home/bin

[oracle@fusion bin]$ cd /app/fusion/fmw/idm/bin

[oracle@fusion bin]$ ./config.sh &

Click Next

Select “Configure Without A Domain” and click Next

Enter values as follows. Click Next

Instance Location: /app/fusion/admin/oid_inst1

Instance Name: oid_inst1

Deselect email notification and click Next

Select only “Oracle Internet Directory” and click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

In another terminal window copy the staticports.ini file to home directory.

[oracle@fusion bin]$ cp /app/fusion/provisioning/idm/idm/Disk1/stage/Response/staticports.ini ~/

Click on View/Edit file

Change the values as follows and click Save.

VERY IMPORTANT:

As per Oracle Manual ideally we should have changed it to as follows.

#The Non-SSL port for OID

Oracle Internet Directory Port No = 389

#The SSL port for OID

Oracle Internet Directory (SSL) Port No = 636

But OID fails to configure and start at the end of installation with these values so we will stick to the OID values for 11g in the staticports.ini and just remove the comments.

#The Non-SSL port for OID

Oracle Internet Directory Port No = 3060

#The SSL port for OID

Oracle Internet Directory (SSL) Port No = 3061

Once saved, click Next

Enter Oracle123 or any suitable password. If you are using different passwords then please make a note of all of them. Click Next

Since we are not using any domains as such but as we have added an entry in our hosts file for fusion.localdomain, we will add “dc=localdomain” for Realm. Enter Oracle123 or any suitable password. Click Next

[oracle@fusion ~]$ more /etc/hosts

127.0.0.1 localhost.localdomain localhost

192.168.56.101 fusion fusion.localdomain

Save summary if needed and click Configure to start configuration.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

Validate the OID installation

[oracle@fusion ~]$ export ORACLE_HOME=/app/fusion/admin/idm

[oracle@fusion ~]$ export ORACLE_INSTANCE=/app/fusion/admin/oid_inst1

[oracle@fusion ~]$ export PATH=$ORACLE_HOME/opmn/bin:$ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_HOME/ldap/admin:$PATH

[oracle@fusion ~]$ ldapbind -h fusion -p 3060 -D “cn=orcladmin” -q

Please enter bind password:

bind successful

[oracle@fusion ~]$ ldapbind -h fusion -p 3061 -D “cn=orcladmin” -q -U 1

Please enter bind password:

bind successful

[oracle@fusion ~]$ opmnctl status

Processes in Instance: oid_inst1

———————————+——————–+———+———

ias-component | process-type | pid | status

———————————+——————–+———+———

oid1 | oidldapd | 19810 | Alive

oid1 | oidldapd | 19798 | Alive

oid1 | oidmon | 19785 | Alive

EMAGENT | EMAGENT | 19325 | Alive

Registering Oracle Internet Directory with the WebLogic Server Domain

[oracle@fusion provisioning]$ export ORACLE_HOME=/app/fusion/fmw/idm

[oracle@fusion provisioning]$ export ORACLE_INSTANCE=/app/fusion/admin/oid_inst1

[oracle@fusion provisioning]$ $ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost fusion -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (fusion):

Username: weblogic

Password:

Registering instance

Command succeeded.

Note: We have skipped next steps related to SSL since we are setting up non-SSL connections here.
Update the Enterprise Manager Repository URL

Next we will update the Enterprise Manager Repository URL using the emctl utility with the switchOMSflag. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.

[oracle@fusion ~]$ cd $ORACLE_INSTANCE/EMAGENT/EMAGENT/bin

[oracle@fusion bin]$ ./emctl switchOMS http://fusion:7001/em/upload

Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0.

Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.

SwitchOMS succeeded.

We can now verify whether this instance is registered for monitoring agent.

Login to http://fusion:7001/em

Click on Farm->Agent monitored targets.

Extending the Domain with Oracle Directory Service Manager (ODSM)

Start the configuration from <IDM Oracle Home>/bin

[oracle@fusion bin]$ cd /app/fusion/fmw/idm/bin/

[oracle@fusion bin]$ ./config.sh &

Click Next

Select “Extend Existing Domain” and enter details of existing weblogic Server and AdminServer port. Click Next

You can ignore this error since we created this domain using the Identity Management installer. Click Yes to ignore.

Verify that the weblogic server directory shown is correct as per previous steps. Specify name and path for Oracle Directory Service instance. Make sure to keep the instance in same parent directory as previous instances. Click Next

Deselect email notification and click Next

Select Oracle “Directory Service Manager” and click Next

Select “Specify Ports using Configuration File” and enter file name as /home/oracle/staticports.ini

Meanwhile in another terminal window copy the staticports.ini to home directory.

[oracle@fusion bin]$ cp -p /app/fusion/provisioning/idm/idm/Disk1/stage/Response/staticports.ini ~/

Click View/Edit

Uncomment the ODS Server Port and keep it default 7006. Click Save

Once Saved click Next

Save summary if needed and click Configure to start configuration.

Once installation finishes, click Next

Save installation summary if needed and click Finish to complete the installation.

Password-less startup for ODS

cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/servers/wls_ods1/security/ (if not present create this structure)

cp ../../AdminServer/security/boot.properties .

cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/bin/

nohup ./startManagedWebLogic.sh wls_ods1

Now you can access ODS homepage at http://fusion:7006/odsm

It will now also show up in http://fusion:7777/em

Configure Oracle Directory Service with OID

Click on Connect to a directory -> Create A New Connection

Enter the details for OID.

Name: fusion-oid

Server: fusion

SSL Enabled: Unchecked

User Name: cn=orcladmin

Password: Oracel123

Start Page: Home

Click Connect

Once connection is successful, you should be able to see OID page

.

You can randomly check whether you are able to see details of any user, for example cn=orcladmin
Configuring Oracle HTTP Servers to Access the ODSM Console

[oracle@fusion moduleconf]$ cd /app/fusion/admin/ohs_inst1/config/OHS/ohs1/moduleconf/

[oracle@fusion moduleconf]$ vi admin.conf

# Append following lines in admin.conf

<Location /odsm>

SetHandler weblogic-handler

WebLogicHost fusion

WeblogicPort 7006

</Location>

Restart HTTP server.

Now we can access ODSM through http://fusion:7777/odsm/

http://fusion:7777/odsm

Apply following patches

1. 12995033 for IDM Tools IAM_ORACLE_HOME
   
2. 12989739 for OAM 11g IAM_ORACLE_HOME
   
3. 12961473, 14109501 (could not locate this second patch) for OIM IAM_ORACLE_HOME [Skip post steps for 12961473 for now since there is another patch to be applied later which has same post steps and is subset patch for this]
   
4. 12937765 for OID IDM_ORACLE_HOME
   
   

There is a patch listed for Webgate but you can apply it once we install Webgate. We have skipped this for now.

12816881 for OAM 10g WebGate

Preparing Identity and Policy Stores

A) Preparing the OPSS Policy Store

Creating Policy Store Users and the Policy Container

[oracle@fusion ~]$ cd /app/fusion/fmw/iam/idmtools/bin/

[oracle@fusion bin]$ export ORACLE_HOME=/app/fusion/fmw/iam

[oracle@fusion bin]$ export JAVA_HOME=/app/fusion/jdk6

[oracle@fusion bin]$ export IDM_HOME=/app/fusion/fmw/idm

[oracle@fusion bin]$ export MW_HOME=/app/fusion/fmw

 

[oracle@fusion bin]$ more policystore.props

POLICYSTORE_HOST: fusion

POLICYSTORE_PORT: 3060

POLICYSTORE_BINDDN: cn=orcladmin

POLICYSTORE_READONLYUSER: PolicyROUser

POLICYSTORE_READWRITEUSER: PolicyRWUser

POLICYSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_CONTAINER: cn=jpsroot

 

[oracle@fusion bin]$ ./idmConfigTool.sh -configPolicyStore input_file=policystore.props

Enter Policy Store Bind DN password :

…

Enter User Password for PolicyROUser:

Confirm User Password for PolicyROUser:

…

Enter User Password for PolicyRWUser:

Confirm User Password for PolicyRWUser:

…

Reassociating the Policy and Credential Store

[oracle@fusion bin]$ cd /app/fusion/fmw/oracle_common/common/bin/

[oracle@fusion bin]$ ./wlst.sh

wls:/offline> connect(“weblogic”,”Oracle123″,”t3://fusion:7001″)

wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain=”IDMDomain”, admin=”cn=orcladmin”,password=”Oracle123″, ldapurl=”ldap://fusion:3060″,servertype=”OID”, jpsroot=”cn=jpsroot”)

…

…

Jps Configuration has been changed. Please restart the application server.

wls:/IDMDomain/serverConfig> wls:/IDMDomain/serverConfig> exit()

Restart Weblogic Admin Server.

B) Preparing the Identity Store

Extending Directory Schema for Oracle Access Manager

[oracle@fusion bin]$ more extend.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

IDSTORE_SYSTEMIDBASE: cn=systemids,dc=localdomain

[oracle@fusion bin]$ ./idmConfigTool.sh -preConfigIDStore input_file=extend.props

Enter ID Store Bind DN password :

Creating Users and Groups for Oracle Access Manager

[oracle@fusion bin]$ more oam.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_SHARES_IDSTORE: true

OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators

IDSTORE_OAMSOFTWAREUSER:oamLDAP

IDSTORE_OAMADMINUSER:oamadmin

 

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=OAM input_file=oam.props

Enter ID Store Bind DN password :

…

Enter User Password for oamadmin:

Confirm User Password for oamadmin:

…

Enter User Password for oamLDAP:

Confirm User Password for oamLDAP:

Creating Users and Groups for Oracle Identity Manager

[oracle@fusion bin]$ more oim.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_SHARES_IDSTORE: true

IDSTORE_SYSTEMIDBASE: cn=systemids,dc=localdomain

IDSTORE_OIMADMINUSER: oimLDAP

IDSTORE_OIMADMINGROUP: OIMAdministrators

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props

Enter ID Store Bind DN password :

…

Enter User Password for oimLDAP:

Confirm User Password for oimLDAP:

…

Enter User Password for xelsysadm:

Confirm User Password for xelsysadm:

Creating Users and Groups for Oracle WebLogic Server

Add a read-only user to cn=orclFAUserReadPrivilegeGroup as follows

[oracle@fusion bin]$ export ORACLE_HOME=/app/fusion/fmw/idm

[oracle@fusion bin]$ more rou_member.ldif

dn: cn=orclFAUserReadPrivilegeGroup,cn=Groups,dc=localdomain

changetype: modify

add: uniquemember

uniquemember: cn=IDROUser,cn=Users,dc=localdomain

 

[oracle@fusion bin]$ /app/fusion/fmw/idm/bin/ldapmodify -h fusion -p 3060 -D cn=orcladmin -q -f rou_member.ldif

Please enter bind password:

modifying entry cn=orclFAUserReadPrivilegeGroup,cn=Groups,dc=localdomain

 

[oracle@fusion bin]$ export ORACLE_HOME=/app/fusion/fmw/iam

[oracle@fusion bin]$ more wls.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users, dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

POLICYSTORE_SHARES_IDSTORE: true

 

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=WLS input_file=wls.props

Enter ID Store Bind DN password :

…

Enter User Password for weblogic_idm:

Confirm User Password for weblogic_idm:

Creating Users and Groups for Fusion Applications

[oracle@fusion bin]$ more fusion.props

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_READONLYUSER: IDROUser

IDSTORE_READWRITEUSER: IDRWUser

IDSTORE_USERSEARCHBASE:cn=Users,dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

IDSTORE_SUPERUSER: weblogic_fa

POLICYSTORE_SHARES_IDSTORE: true

[oracle@fusion bin]$ ./idmConfigTool.sh -prepareIDStore mode=fusion input_file=fusion.props

Enter ID Store Bind DN password :

*** Creation of IDROUser ***

Mar 22, 2012 3:05:58 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/oid/oam_user_template.ldif

Enter User Password for IDROUser:

Confirm User Password for IDROUser:

*** Creation of IDRWUser ***

Mar 22, 2012 3:06:03 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/oid/oam_user_template.ldif

Enter User Password for IDRWUser:

Confirm User Password for IDRWUser:

*** Creation of weblogic_fa ***

Mar 22, 2012 3:06:10 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/oid/oam_user_template.ldif

Enter User Password for weblogic_fa:

Confirm User Password for weblogic_fa:

Mar 22, 2012 3:06:15 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/common/oam_user_read_acl_template.ldif

Mar 22, 2012 3:06:15 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/oid/fa_add_pwdpolicy.ldif

Mar 22, 2012 3:06:15 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/oid/fa_add_pwdpolicy.ldif

Mar 22, 2012 3:06:15 PM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING: /app/fusion/fmw/iam/idmtools/templates/oid/fa_add_pwdpolicy.ldif

The tool has completed its operation. Details have been logged to automation.log

In addition to creating the users, the idmConfigTool command you ran earlier

creates the following groups and assigns users to them:

orclFAGroupReadPrivilegeGroup

orclFAGroupWritePrivilegeGroup

orclFAUserReadPrivilegeGroup

orclFAUserWritePrefsPrivilegeGroup

orclFAUserWritePrivilegeGroup

Important Note: Check automation.log file now. If you see any message like “Error adding user to groups” then you must also do following steps. This is due to a bug introduced by one of the pre-requisite patches. If you have not applied these patches then you may not face the error. Regardless, nothing to worry since we have a solution as below.

No need to execute these if there were no errors in automation.log file.

[oracle@fusion bin]$ more rog_member.ldif

dn: cn=orclFAGroupReadPrivilegeGroup,cn=Groups,dc=localdomain

changetype: modify

add: uniquemember

uniquemember: cn=IDROUser,cn=Users,dc=localdomain

 

[oracle@fusion bin]$ more rwu_member.ldif

dn: cn=orclFAUserWritePrivilegeGroup,cn=Groups,dc=localdomain

changetype: modify

add: uniquemember

uniquemember: cn=IDRWUser,cn=Users,dc=localdomain

 

[oracle@fusion bin]$ more rwg_member.ldif

dn: cn=orclFAGroupWritePrivilegeGroup,cn=Groups,dc=localdomain

changetype: modify

add: uniquemember

uniquemember: cn=IDRWUser,cn=Users,dc=localdomain

 

[oracle@fusion bin]$ more rwpg_member.ldif

dn: cn=orclFAUserWritePrefsPrivilegeGroup,cn=Groups,dc=localdomain

changetype: modify

add: uniquemember

uniquemember: cn=IDRWUser,cn=Users,dc=localdomain

 

[oracle@fusion bin]$ /app/fusion/fmw/idm/bin/ldapmodify -h fusion -p 3060 -D cn=orcladmin -q -f rog_member.ldif

Please enter bind password:

modifying entry cn=orclFAGroupReadPrivilegeGroup,cn=Groups,dc=localdomain

ldap_modify: Type or value exists

ldap_modify: additional info: uniquemember attribute has duplicate value.

 

Note: Ignore if you see above error. This confirms that the user was already added to ReadOnly group.

 

[oracle@fusion bin]$ /app/fusion/fmw/idm/bin/ldapmodify -h fusion -p 3060 -D cn=orcladmin -q -f rwu_member.ldif

Please enter bind password:

modifying entry cn=orclFAUserWritePrivilegeGroup,cn=Groups,dc=localdomain

 

[oracle@fusion bin]$ /app/fusion/fmw/idm/bin/ldapmodify -h fusion -p 3060 -D cn=orcladmin -q -f rwg_member.ldif

Please enter bind password:

modifying entry cn=orclFAGroupWritePrivilegeGroup,cn=Groups,dc=localdomain

 

[oracle@fusion bin]$ /app/fusion/fmw/idm/bin/ldapmodify -h fusion -p 3060 -D cn=orcladmin -q -f rwpg_member.ldif

Please enter bind password:

modifying entry cn=orclFAUserWritePrefsPrivilegeGroup,cn=Groups,dc=localdomain

Extending the Domain with Oracle Access Manager

[oracle@fusion bin]$ cd /app/fusion/fmw/oracle_common/common/bin/

[oracle@fusion bin]$ ./config.sh &

Click “Extend an existing WebLogic domain” and click Next

Scroll down and select admin->IDMDomain-> aserver -> IDMDomain. Click Next

Select only “Oracle Access Manager with Database Policy Store” and click on Next.

Here you need to provide the database connection details and choose schema owner username. You can keep the name default but make sure to keep a note of it since you will need this later. Choose a password for example Oracle123. Click Next

Now it will test the database connectivity through JDBC.

Once successful, click Next

Select “Managed Servers, Clusters and Machines” only and click Next

The first row was from previous configuration of ODS and now there will be another row for OAM. Keep the default port and make a note of it. Enter wls_oam1 for the instance name (or whichever you chose while creating instance) and click Next

Just click Next

On the “Machines” tab make sure that correct hostname is entered. Click Next

Select wls_oam1 and click the right arrow.

Now it should look as above. Click Next

On the summary page Click Extend.

Click OK Since we are aware that these are correct ports being used by AdminServer and wls_ods1 instance.

Once configuration finishes, click Done.

Restart Weblogic admin server. Do not start managed server wls_oam1 yet.

You can start the managed server by using following command.

[oracle@fusion bin]$ cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/bin/

[oracle@fusion bin]$ ./startManagedWebLogic.sh wls_oam1

This will create the directory
/app/fusion/admin/IDMDomain/aserver/IDMDomain/servers/wls_oam1

Press CTRL+C to stop the process since we will need to configure startup without password prompt.

[oracle@fusion wls_oam1]$ cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/servers/wls_oam1

[oracle@fusion wls_oam1]$ cp ../wls_ods1/security/ boot.properties .

Now we can start the managed server without prompting for password.

[oracle@fusion bin]$ cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/bin/

[oracle@fusion bin]$ nohup ./startManagedWebLogic.sh wls_oam1 &

Remove IDM Domain Agent

Open Admin Server console at http://fusion:7777/console and login with user weblogic

Click Lock & Edit

Go to Console->Environment -> Security Realms -> myrealm -> providers -> Select IAMSuiteAgent and delete it.

Restart Weblogic and all managed servers including wls_oam1

Configuring Oracle HTTP Servers to Display Login Page and Oracle Access Manager Console

Append following entries in /app/fusion/admin/ohs_inst1/config/OHS/ohs1/moduleconf/admin.conf

<Location /oam>

SetHandler weblogic-handler

WebLogicHost fusion

WebLogicPort 14100

</Location>

 

<Location /fusion_apps>

SetHandler weblogic-handler

WebLogicHost fusion

WebLogicPort 14100

</Location>

 

<Location /oamconsole>

SetHandler weblogic-handler

WebLogicHost fusion

WebLogicPort 7001

</Location>

Restart HTTP Server to bring this to effect. 

Check http://fusion:7777/oamconsole to validate the same.

Configure OAM

[oracle@fusion bin]$ cd /app/fusion/fmw/iam/idmtools/bin

[oracle@fusion bin]$ more config_oam1.props

WLSHOST: fusion

WLSPORT: 7001

WLSADMIN: weblogic

IDSTORE_HOST: fusion

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin

IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid

IDSTORE_USERSEARCHBASE: cn=Users,dc=localdomain

IDSTORE_SEARCHBASE: dc=localdomain

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=localdomain

IDSTORE_OAMSOFTWAREUSER: oamLDAP

IDSTORE_OAMADMINUSER: oamadmin

PRIMARY_OAM_SERVERS: fusion:5575

WEBGATE_TYPE: ohsWebgate10g

ACCESS_GATE_ID: Webgate_IDM

OAM11G_IDM_DOMAIN_OHS_HOST:fusion

OAM11G_IDM_DOMAIN_OHS_PORT:7777

OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http

OAM11G_OAM_SERVER_TRANSFER_MODE:open

OAM11G_IDM_DOMAIN_LOGOUT_URLS:/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp

OAM11G_WG_DENY_ON_NOT_PROTECTED: false

OAM11G_SERVER_LOGIN_ATTRIBUTE: uid

OAM_TRANSFER_MODE: open

COOKIE_DOMAIN: .localdomain

OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators

OAM11G_SSO_ONLY_FLAG: true

OAM11G_OIM_INTEGRATION_REQ: false

OAM11G_IMPERSONATION_FLAG:true

OAM11G_SERVER_LBR_HOST:fusion

OAM11G_SERVER_LBR_PORT:7777

OAM11G_SERVER_LBR_PROTOCOL:http

OAM11G_OIM_WEBGATE_PASSWD: Oracle123

COOKIE_EXPIRY_INTERVAL: 120

 

[oracle@fusion bin]$ ./idmConfigTool.sh -configOAM input_file=config_oam1.props

Enter ID Store Bind DN password :

Enter User Password for WLSPASSWD:

Confirm User Password for WLSPASSWD:

Enter User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:

Confirm User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:

The passwords do not match. Please re-enter.

Enter User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:

Confirm User Password for OAM11G_IDM_DOMAIN_WEBGATE_PASSWD:

Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:

Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:

Enter User Password for IDSTORE_PWD_OAMADMINUSER:

Confirm User Password for IDSTORE_PWD_OAMADMINUSER:

…

The tool has completed its operation. Details have been logged to automation.log

Restart Admin server.

Validating the Configuration

Login with oamadmin at http://fusion:7777/oamconsole

oamadmin/Oracle123

System Configuration -> Access Manager Settings -> SSO Agents -> Double click on OAM Agents

click Search

Webgate_IDM should be displayed here

Updating Newly-Created Agent

Click the Agent Webgate_IDM.

Select Open from the Actions menu.

Update the following information:

Deny if not Protected: Deselect.

Set Max Connections to 4 for all of the Oracle Access Manager servers listed in the primary servers list.

Click Apply.

Click Policy Configuration tab.

Double Click IAMSuiteAgent under Host Identifiers.

Click + in the operations box.

Enter the following information:

Host Name: fusion

Port: 7777

Click Apply.

Changing the Login Attribute

Note: If you have applied the previous patches then following will be already set.

Log in to the oamconsole at:

http://fusion:7777/oamconsole

2. Click the System Configuration tab.

3. Expand Data Sources - User Identity Stores.

4. Click OIMIDStore.

5. Click Open.

Adding the oamadmin Account to Access System Administrators

12-16 Product Title/BookTitle as a Variable

6. Change Username attribute to uid.

7. Click Apply.

Restart the managed server wls_oam1

Add oamadmin as administrator

1. Log in to the oamconsole at:

http://fusion:7777/oamconsole

2. Click the System Configuration tab.

3. Expand Data Sources - User Identity Stores.

4. Click OIMIDStore.

5. Click Open.

6. Click the + symbol next to Access System Adminsitrators.

7. Type oamadmin in the search box and click Search.

8. Click the returned oamadmin row, then click Add Selected.

9. Click Apply.

Validate OAM

[oracle@fusion tester]$ export JAVA_HOME=/app/fusion/jdk6

[oracle@fusion tester]$ cd /app/fusion/fmw/iam/oam/server/tester

[oracle@fusion tester]$ java -jar oamtest.jar

Enter following details click Connect

IP address: fusion

Port: 5575

Agent ID: Webgate_IDM

Agent Password: Oracle123

Enter following details in URI section and click Validate.

Scheme: http

Host: fusion

Port: 7777

Resource: /oamconsole

Operation: Get

Enter following details and click Authorize.

IP address: IP for the host fusion (for our case 192.168.56.101 or fusion)

Username: oamadmin

Password: Oracle123

Click Authorize. It should succeed. This concludes OAM test.

Update the Configuration File oam-config.xml

Edit /app/fusion/admin/IDMDomain/aserver/IDMDomain/config/fmwconfig/oam-config.xml
as per post step for patch 12989739

<Setting Name=”NoUniqueSessionsFor10gAgents” Type=”xsd:boolean”>true</Setting>

…

<Setting Name=”SessionConfigurations” Type=”htf:map”>

<Setting Name=”Timeout” Type=”htf:timeInterval”>120M</Setting>

<Setting Name=”Expiry” Type=”htf:timeInterval”>120M</Setting>

<Setting Name=”MaxSessionsPerUser” Type=”xsd:integer”>400</Setting>

</Setting>

Extending the Domain to Configure Oracle Identity Manager and Oracle SOA Suite

Start the configuration from <Middleware Home/oracle_common/common/bin

[oracle@fusion fmwconfig]$ cd /app/fusion/fmw/oracle_common/common/bin/

[oracle@fusion bin]$ ./config.sh &

Select “Extend an existing WebLogic domain” and click Next

Scroll down and select admin->IDMDomain->aseever -> IDMDomain and click Next

Select Oracle Identity Manager. It will automatically select Oracle SOA Suite and Oracle WSM. Click Next

Check all to modify all entries together. Provide database connect details and password Oracle123 for all. Accept default value for Schema owner names. Click Next

Now it will test the database connectivity through JDBC. Once JDBC test is successful, click Next

Select only “Managed Servers, Clusters and Machines” and click Next

Add entries for wls_soa1 and wls_oim1. Note the ports and click Next.

Click Next

Since we are using Linux/Unix machine, delete entry from above screen.

After Delete it should look as above. Click on Unix Machines tab

Make sure correct hostname is entered here. Click Next

Select wls_oim1 andwls_soa1 and click right arrow.

The screen will now look like above. Click Next

On Summary screen click Entend

Click OK

Once configuration finishes, click Done

Restart Weblogic Admin Server. Do not start OIM/SOA yet.

Note: Just in case if your database has case sensitive login enabled, make sure to disable it as follows. (default enabled in 11g)

SQL> alter system set sec_case_sensitive_logon=FALSE;

Configuring Oracle Identity Manager

Now we will configure the Identity Manager from <IAM Oracle Home>/bin

Before proceeding, ensure that the following are true:

1. The Administration Server is up and running.

2. The environment variables DOMAIN_HOME and WL_HOME are not set in the current shell.

[oracle@fusion bin]$ cd /app/fusion/fmw/iam/bin

[oracle@fusion bin]$ ./config.sh &

Click Next

Select only OIM Server and click Next

Enter database details in shown format “fusion:1521:fusiondb“. Select Schema names (keep default) and enter password (oracle123). Make sure to keep a note of these schema names DEV_OIM and DEV_MDS. We will need these later during provisioning plan. Click Next

Enter AdminServer details in t3://<hostname>:<port> format. Here t3://fusion:7001

Important Note: Before clicking next make sure that AdminServer is running otherwise it may throw following error on next page. Start or restart AdminServer if you see this error.

INST-6180: Error while retrieving OIM Managed Server URL from the domain.

Click Next

Enter passwords as follows and keep a note of them since we will require them in provisioning wizard.

OIM Admin password: Oracle123

Keystore Password: Oracle123

Enter OIM HTTP URL as http://fusion:14000 (based on port value in previous configuration step). Click Next

Deselect Configure BI Publisher and select Enable LDAP Sync. Click Next

Enter details as follows and click Next

Directory type: OID

ID: oid1

URL: ldap://fusion:3060

Server User: cn=oimLDAP,cn=systemids,dc=localdomain

Server Password: Oracle123

Server SearchDN: dc=localdomain

Enter details as follows and click Next.

Role Container: cn=Groups,dc=localdomain

User container: cn=Users,dc=localdomain

Reservation container: cn=Reserve,dc=localdomain

Save the summary if required and click Configure.

Once configuration finishes click Next

Save the configuration summary if needed and click Finish to complete the configuration.

Start wls_oim1 and wls_soa1 managed servers.

copy boot.properties

[oracle@fusion bin]$ cd /app/fusion/admin/IDMDomain/aserver/IDMDomain/servers/

[oracle@fusion servers]$ cp -p AdminServer/security/boot.properties wls_oim1/security/

[oracle@fusion servers]$ cp -p AdminServer/security/boot.properties wls_soa1/security/

Validate OIM by launching http://fusion:14000/oim

Now login with xelsysadm/Oralce123

Now validate SOA by launching http://fusion:8001/soa-infra and login with weblogic/Oracle123

Apply patch 12790893. This is required patch for following steps to succeed.

Post steps for patch 12790893

Post Step-1

Edit weblogic.profile file

[oracle@fusion bin]$ cd /app/fusion/fmw/iam/server/bin

[oracle@fusion bin]$ cat weblogic.profile

# Please fill the information below before running the post-patch script.

# Put the OIM DB schema owner name here

operationsDB.user=DEV_OIM

# Put the DB driver to be used

operationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource

# Put the absolute path to the Weblogic server directory here.

weblogic.server.dir=/app/fusion/fmw/wlserver_10.3

# The host on which OIM db is running

operationsDB.host=fusion

# The service name of the OIM db [Do not mention the SID here.]

operationsDB.serviceName=fusiondb

# The port of the OIM db

operationsDB.port=1521

# Application server

appserver.type=wls

 

[oracle@fusion bin]$ export JAVA_HOME=/app/fusion/jdk6

[oracle@fusion bin]$ export WL_HOME=/app/fusion/fmw/wlserver_10.3

[oracle@fusion bin]$ export OIM_ORACLE_HOME=/app/fusion/fmw/iam

[oracle@fusion bin]$ export ANT_HOME=/app/fusion/fmw/modules/org.apache.ant_1.7.1

 

[oracle@fusion bin]$ ./patch_weblogic.sh Oracle123

Buildfile: /app/fusion/fmw/iam/server/setup/deploy-files/setup.xml

[input]Enter the oim db password:

Buildfile: /app/fusion/fmw/iam/server/setup/deploy-files/setup.xml

 

Post Step-2

[oracle@fusion bin]$ mkdir $ORACLE_HOME/temp/log

[oracle@fusion bin]$ cp -p ~/patches/12790893/files/temp/RequestTemplateManagementPolicies.xml /app/fusion/fmw/iam/temp/

[oracle@fusion bin]$ cd $OIM_ORACLE_HOME/server/setup/deploy-files

 

[oracle@fusion deploy-files]$ /app/fusion/fmw/modules/org.apache.ant_1.7.1/bin/ant -f setup.xml upgrade-oes-ootb-policies -DoperationsDB.user=DEV_OIM -DOIM.DBPassword=Oracle123 -DoperationsDB.driver=oracle.jdbc.xa.client.OracleXADataSource -DoperationsDB.host=fusion -DoperationsDB.port=1521 -DoperationsDB.SID=fusiondb -Dpolicy.dir=/app/fusion/fmw/iam/temp -Dupdate.flag=true -Dweblogic.server.dir=/app/fusion/fmw/wlserver_10.3

Buildfile: setup.xml

upgrade-oes-ootb-policies:

upgrade-oes-ootb-policies:

[echo] —-> UPDATING OUT OF THE BOX OES POLICIES

[java] [EL Info]: 2012-03-19 09:13:59.734–ServerSession(140283754)–EclipseLink, version: Eclipse Persistence Services – 1.1.0.r3634

[java] [EL Info]: 2012-03-19 09:14:06.151–ServerSession(140283754)–file:/app/fusion/fmw/iam/modules/oracle.oes_11.1.1/jps-internal.jar-JpsDBDataManager login successful

[echo] —-> SEEDING COMPLETE LOG FILE

[echo] —-> LOG FILE : /app/fusion/fmw/iam/temp/log

BUILD SUCCESSFUL

Total time: 52 seconds

Post Step-3

cd PATCH_TOP/12790893/files/server/db/oim/oracle/

Connect to the db as OIM_db_user

SQL> @Upgrade/oim11gps1_dml_insert_pty_FAAdministratorsRole.sql

SQL> @Upgrade/oim11gps1_dml_insert_pty_cookie-http-only-flag-turned-on.sql

SQL> @Upgrade/oim11gps1_dml_update_AllowDisabledManagers.sql

SQL> @Upgrade/oim11gps1_dml_create_UMS_ITRes_def_instance.sql

SQL> @StoredProcedures/API/oim_usr_mgmt_pkg_body.sql

SQL> @StoredProcedures/Recon/OIM_SP_ReconBlkRoleCRU.sql

SQL> @StoredProcedures/Recon/XL_SP_ReconBlkChildMthAcntCRUD.sql

SQL> @StoredProcedures/Recon/XL_SP_ReconBlkRoleMemValMatch.sql

SQL> @StoredProcedures/Recon/XL_SP_ReconRoleMemValMatch.sql

Post-step 4:

Deploy OAACGRoleAssignSODCheck composite with a deployment plan to SOA server.

a) Login to EM and select/click on OAACGRoleAssignSODCheck [1.0] composite on the home page

b) From top menu, select SOA Composite->SOA Deployment->Undeploy and then click on Undeploy in step2

Note: If it waits forever, just close the window and proceed to next step.

c) Unzip OAACGRoleAssignSODCheck.zip in <OIM_ORACLE_HOME>/server/workflows/composites to a temporary location, lets say /tmp

[oracle@fusion tmp]$ cd /tmp

[oracle@fusion tmp]$ unzip /app/fusion/fmw/iam/server/workflows/composites/OAACGRoleAssignSODCheck.zip OAACGRoleAssignSODCheck/deploy/sca_OAACGRoleAssignSODCheck_rev1.0.jar

Archive: /app/fusion/fmw/iam/server/workflows/composites/OAACGRoleAssignSODCheck.zip

inflating: OAACGRoleAssignSODCheck/deploy/sca_OAACGRoleAssignSODCheck_rev1.0.jar

c) Get sca_OAACGRoleAssignSODCheck_rev1.0.jar from /tmp/OAACGRoleAssignSODCheck/deploy folder

d) Open the jar file and extract soaconfigplan.xml file

e) Open the soaconfigplan.xml file and replace the following @oimT3URL, (oimServerHost,)oimServerPort with appropriate values

f) Put the updated soaconfigplan.xml back into sca_OAACGRoleAssignSODCheck_rev1.0.jar file and copy this jar to <WLS_DOMAIN_HOME>/soa/autodeploy

folder

g) Restart SOA server

Post-step 5: Start the OIM server

Post step 6: Use em to update OAACgConfig ResponseTimeoutvalue from 300 secs to 240

a) Login to em as admin user

b) select OIM server

c) From the top pull down menu, select Weblogic Server–>System Mbean Browser

d) Go to Application Defined Mbeans and navigate oracle.iam->oim_server1>oim>XMLConfig>Config->XMLConfig.OAACGConfig

e) Select OAACGConfig and in the Attributes, change ResponseTimeoutvalue form 300 to 240

We skipped post steps 7, 8 and 9 for now since our aim at the moment is to complete fusion installation and show the look and feel.

Post-step 10: Steps to enable default TenantGUID value for callbacks payload:

1. Login in OIM UI as xelsysadm user. Click on ‘Advanced’ on the top right.

2. Click on ‘System Management’ tab available on the top.

3. Click on ‘System Configuration’ subtab.

4. Click on Actions ->Create a New OIM System Property.

5. Provide Property Name: OIM.DefaultTenantGUID

6. Provide Keyword: OIM.DefaultTenantGUID

7. Provide Value: 1.

8. Click Perform.

Post-step 11: Restart OIM Server

Configuring Oracle Identity Manager to Reconcile from ID Store

[oracle@fusion ldap_config_util]$ cd /app/fusion/fmw/iam/server/ldap_config_util

[oracle@fusion ldap_config_util]$ more ldapconfig.props

# OIMServer Type, Valid values can be WLS, JBOSS, WAS

# e.g.: OIMServerType=WLS

OIMServerType=WLS

# OIMAdmin User Login

# e.g.: OIMAdminUser=xelsysadm

OIMAdminUser=xelsysadm

# Skip Validation of OVD Schema

# e.g.: SkipOVDValidation=true|false, Default false

SkipOVDValidation=true

# OIM Provider URL

# e.g.: OIMProviderURL=t3://localhost:8003

OIMProviderURL=t3://fusion:14000

# OID URL

# e.g.: OIDURL=ldap://localhost:389

OIDURL=ldap://fusion:3060

# Admin user name to connect to OID

# e.g.: OIDAdminUsername=cn=orcladmin

OIDAdminUsername=cn=orcladmin

# Search base

# e.g.: OIDSearchBase=dc=company,dc=com

OIDSearchBase=dc=localdomain

# Name of the user container

# e.g.: UserContainerName=cn=Users

UserContainerName=cn=Users

# Name of the role container

# e.g.: RoleContainerName=cn=Roles

RoleContainerName=cn=Groups

# Name of the reservation container

# e.g.: ReservationContainerName=cn=Reserve

ReservationContainerName=cn=Reserve

 

[oracle@fusion ldap_config_util]$ ./LDAPConfigPostSetup.sh

[Enter OID admin password:]

[Enter OIM admin password:]

Successfully Enabled Changelog based Reconciliation schedule jobs

Configuring Oracle HTTP Servers for Oracle Identity Manager and SOA

Append following entries in /app/fusion/admin/ohs_inst1/config/OHS/ohs1/moduleconf/admin.conf

# oim admin console(idmshell based)

<Location /admin>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# oim self and advanced admin webapp consoles(canonic webapp)

<Location /oim>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# SOA Callback webservice for SOD – Provide the SOA Managed Server Ports

<Location /sodcheck>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 8001

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# Callback webservice for SOA. SOA calls this when a request is approved/rejected

# Provide the SOA Managed Server Port

<Location /workflowservice>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# xlWebApp – Legacy 9.x webapp (struts based)

<Location /xlWebApp>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# Nexaweb WebApp – used for workflow designer and DM

<Location /Nexaweb>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# used for FA Callback service.

<Location /callbackResponseService>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

# spml xsd profile

<Location /spml-xsd>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

<Location /HTTPClnt>

SetHandler weblogic-handler

WLProxySSL OFF

WLProxySSLPassThrough OFF

WLCookieName oimjsessionid

WebLogicHost fusion

WebLogicPort 14000

WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log”

</Location>

Restart HTTP Server to bring this to effect.

Validate http://fusion:7777/oim with xelsysadm user

Now login to Weblogic Console at http://fusion:7777/console

Click Lock and Edit. Select Servers->wls_soa1. In the protocols tab click on HTTP and change the following values. Now click on Activate changes.

Restart managed server wls_soa1

Enabling Oracle Identity Manager to Connect to SOA Using the Administrative Users Provisioned in LDAP

Perform the following postinstallation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA without any problem:

1. Log in to Enterprise Manager at: http://fusion:7777/em

2. Right click Identity and Access –OIM–oim(11.1.1.3.0) and select System Mbean Browser.

3. Select Application-defined Mbeans –> oracle.iam–Server: wls_oim1 –> Application:

oim–> XML Config–> Config–XMLConfig.SOAConfig –> SOAConfig

4. View the username attribute. By default, the value of this attribute is weblogic. Change this to the Oracle WebLogic Server administrator username weblogic_idm

5. Click Apply.

6. Select Weblogic Domain–IDM Domain from the Navigator.

7. Select Security–Credentials from the down menu.

8. Expand the key oim.

9. Click SOAAdminPassword.

10. Click Edit.

11. Change the username to weblogic_idm and set the password to the accounts password.

12. Click OK.

13. Run the reconciliation process to enable the Oracle WebLogic Server administrator,

weblogic_idm, to be visible in the OIM Console. Follow these steps:

a. Log in to Oracle Identity Manager at:

https://fusion:7777/oim as the user xelsysadm.

b. Click Advanced.

c. Click the System Management tab

d. Click the arrow for the Search Scheduler to list all the schedulers.

e. Select LDAP User Create and Update Full Reconciliation.

f. Click Actions->Run now to run the job.

Go to the Administration page and perform a search to verify that the user is visible in the Oracle Identity Manager console.

14. Select Administration.

15. Click Advanced Search–Roles

16. Search for the Administrators role.

17. Click the Administrators Role.

18. Click Open.

19. Click the Member tab.

20. Click Assign.

21. Type weblogic_idm in the Search box and Click ->.

22. Select weblogic_idm from the list of available users.

23. Click > to move to Selected Users.

24. Click Save.

25. Restart Oracle Identity Manager managed server.

Update Oracle Identity Manager JMS Queues

Update Oracle Identity Manager JMS queues as follows:

1. Log in to the WebLogic console as the administrative user.

2. Select Services - Messaging - JMS Modules from the Domain Structure menu.

3. Click OIMJMSModule.

4. Click Lock & Edit.

5. For each of the queues, click the queue then click the Delivery Failure tab and change Redelivery Limit value from -1 to 1, then click Save.

6. Make sure you have performed Steps 4 and 5 for all the queues under OIMJMSModule.

7. Click Activate Changes.

8. Restart Oracle Identity Manager server

This concludes the configuration of Oracle Identity and Access Management components. Next is very important step to integrate OIM and OAM.

Next: Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)

Important Note: We are NOT creating a separate database to host Oracle Identity Management schemas. Instead we will create these schemas in our Fusion Database (fusiondb) itself since the schema names are distinct compared to Fusion Application schemas. We will save a lot of Memory for our Virtual Machine.

In order to run RCU for Identity Management on same database, we must set the open_cursors parameter to 800.

Open a new database session and set following values.

SQL> show parameter open_cursors

NAME TYPE VALUE

———————————— ———– ——————————

open_cursors integer 500

SQL> alter system set open_cursors=800 scope=both sid=’*';

System altered.

Launch Repository Creation Utility for Oracle Identity Management from <Framework_location>/fmw_rcu/bin location

[oracle@fusion bin]$ /app/fusion/provisioning/fmw_rcu/bin/rcu &

Click Next

Select Create and click Next

Enter the database information (for same fusiondb database as entered earlier. Click Next

Next it will check for required prerequisites. Upon successful check click OK

Click Idnentity Management. It will select few other required components also automatically. Click Next

Again it will check prerequisites for the selected components. Upon successful check click OK

Enter same password Oracle123 for ease of remembering. Click Next

No need to change anything in this screen. Click Next

Click OK

It will create the required tablespaces. Once finished click OK

On this summary screen click Create to create required schemas and load data.

This will be quicker than earlier RCU. Once finished proceed to next screen.

Finally it will display Completion Summary. Clock Close

Next: Installing Oracle Identity and Access Management Components

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Installing Oracle 11g Database (Applications Transactional Database)

Create a directory on physical partition and call it APPS_RCU_HOME

[oracle@fusion linux]$ mkdir /app/fusion/provisioning/apps_rcu

Go to repository_location/installers/apps_rcu and locate the rcuHome_fusionapps_dbinstall.zip file. This file was staged when you created the installer repository.

Extract the contents of rcuHome_fusionapps_dbinstall.zip to a directory (APPS_RCU_HOME) on the database server. All dependent components that Applications RCU needs are included in this zipped file.

[oracle@fusion apps_rcu]$ cd /app/fusion/provisioning/apps_rcu

[oracle@fusion apps_rcu]$ unzip /mnt/fusion/installers/apps_rcu/linux/rcuHome_fusionapps_linux.zip

Create a temporary directory on the database server. Make a note of the location.

You will need to enter this location when you specify a value for FUSIONAPPS_DBINSTALL_DP_DIR

[oracle@fusion apps_rcu]$ mkdir /app/fusion/provisioning/apps_rcu/dp_dir

Locate and copy APPS_RCU_HOME/rcu/integration/fusionapps/export_

fusionapps_dbinstall.zip to the directory you specified for FUSIONAPPS_

DBINSTALL_DP_DIR.

Unzip export_fusionapps_dbinstall.zip to FUSIONAPPS_DBINSTALL_DP_DIR.

[oracle@fusion dp_dir]$ cd /app/fusion/provisioning/apps_rcu/dp_dir

[oracle@fusion dp_dir]$ unzip /app/fusion/provisioning/apps_rcu/rcu/integration/fusionapps/export_fusionapps_dbinstall.zip

Go to APPS_RCU_HOME/rcu/integration/biapps/schema and locate the

otbi.dmp file.

Copy otbi.dmp to FUSIONAPPS_DBINSTALL_DP_DIR (where you unzipped the

contents of export_fusionapps_dbinstall.zip).

[oracle@fusion dp_dir]$ cp -p ../rcu/integration/biapps/schema/otbi.dmp /app/fusion/provisioning/apps_rcu/dp_dir/

Launch Repository Creation Utility (RCU)

[oracle@fusion bin]$ cd /app/fusion/provisioning/apps_rcu/bin

[oracle@fusion bin]$ ./rcu

Click Next

Click Next

Enter same details as entered while creating the database in previous step. Click Next

This screen will check pre-requisites. Click Ok once successful.

Select all components in this Window.

It will look as above when you collapse all parent values. Click Next

Important Note: If you had reduced SGA and PGA size after DB installation then this prerequisites check may fail with following error.

RCU-6083:Failed – Check prerequisites requirement for selected component:FUSIONAPPS

RCU-6107:DB Init Param Prerequisite failure for: pga_aggregate_target

Current Value is 2147483648. It should be greater than or equal to 4294967296.

RCU-6107:DB Init Param Prerequisite failure for: sga_target

Current Value is 2147483648. It should be greater than or equal to 9663676416.

 

To fix this issue, we need to modify the minimum requirement of SGA and PGA in installer pre-requisite config file located at /app/fusion/provisioning/apps_rcu/rcu/integration/fusionapps/fusionapps.xml

 

Change these values as follows.

<DBPrerequisite COMPARE_OPERATOR=”GE” DATA_TYPE=”NUMBER” PREREQ_TYPE=”InitParameter”>

<ValidIf DBTYPE=”ORACLE”/>

<PrereqIdentifier>sga_target</PrereqIdentifier>

<PrereqValue>2147483648</PrereqValue>

</DBPrerequisite>

…

<DBPrerequisite COMPARE_OPERATOR=”GE” DATA_TYPE=”NUMBER” PREREQ_TYPE=”InitParameter”>

<ValidIf DBTYPE=”ORACLE”/>

<PrereqIdentifier>pga_aggregate_target</PrereqIdentifier>

<PrereqValue>2147483648</PrereqValue>

</DBPrerequisite>

The prerequisites check should finish successfully. Click Ok

Enter same password Oracle123 for keeping it simplefor now. Click Next

Open another terminal window. Create following directories for custom environment variables.

[oracle@fusion database]$ mkdir /app/fusion/database/applcp

[oracle@fusion database]$ mkdir /app/fusion/database/appllog

[oracle@fusion database]$ mkdir /app/fusion/database/keyflexcombfilter

[oracle@fusion database]$ mkdir /app/fusion/database/obieebkp

Specify these following values in the same screen under Fusion Applications Component (expect first value which is the temporary DP directory created before /app/fusion/provisioning/apps_rcu/dp_dir)

Supervisor Password: You must enter the same password you set up as ODI SUPERVISOR in Applications RCU. Since we kept all passwords as Oracle123, nothing much to remember. Enter the same password.

Work Repository Password: Default = None. You must enter the same password set up as ODI SUPERVISOR in Applications RCU.

Oracle Transactional BI

Directory on the database server where Oracle Transactional Business Intelligence import and export files are stored. Enter /app/fusion/provisioning/apps_rcu/dp_dir again.

Change nothing in this page. Click Next

Click OK

Now it will create the required tablespaces. Click OK

Once Tablespaces are created, next Summary screen will appear for creating the required Schemas. Click Create

It may take a couple of hours or even more based on the available memory and CPU for the VM and host machine.

Once finished, a completion summary screen will appear. It will show details for each components and completion states. Click Close

Next: Running Repository Creation Utility (RCU) for Oracle Identity Management components

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment

Previous: Installing Fusion Applications Provisioning Framework

To install Applications Transactional Database we need to run Oracle Fusion Applications Provisioning Wizard from <framework_location>/provisioning/bin

<framework_location> is same what we mentioned in previous post. i.e. /app/fusion

[oracle@fusion $ cd /app/fusion/provisioning/bin

We need to temporarily set JAVA_HOME to jdk6 directory shipped with the installation media

[oracle@fusion bin]$ export JAVA_HOME=/mnt/fusion/jdk6

[oracle@fusion bin]$ ./provisioningWizard.sh

Click Next

Click Next

Deselect security updates notification. Click Next

Provide database listener port (default is 1521, if you change this port please note to enter the new port in future screens where we have mentioned 1521)

Installer directory location will be the same as you created the stage setup or provisioning repository.

Provide a location for Oracle Base. Press TAB, next values should automatically be populated, if not, go back and click next again.

Enter dba as OSDBA group.

We have specified “fusiondb” as our database name. please note that if you are using any other name then don’t forget to change it in further screens whenever we have mentioned fusiondb.

Try to keep something like “Oracle123” for all passwords so that it will follow requirements for all further passwords and it will be easier for you to remember all passwords in further installations.

Next it will finish the pre-requisite checks. Click Next

On next page, you can Save the summary. Click Install to start the installation.

Note: This will install the software as well as create a database named “fusiondb” which we provided earlier.

At this point it will prompt for running root.sh as root user.

Do not press Ok until run the following as root user in separate terminal window. Once following is executed, press Ok to continue.

[root@fusion ~]# /app/fusion/database/product/11.2.0/dbhome_1/root.sh

Check /app/fusion/database/product/11.2.0/dbhome_1/install/root_fusion_2012-01-1 5_12-29-28.log for the output of root script

[root@fusion ~]# tail -f /app/fusion/database/product/11.2.0/dbhome_1/install/root_fusion_2012-01-15_12-29-28.log

The following environment variables are set as:

ORACLE_OWNER= oracle

ORACLE_HOME= /app/fusion/database/product/11.2.0/dbhome_1

 

Creating /etc/oratab file…

Entries will be added to the /etc/oratab file as needed by

Database Configuration Assistant when a database is created

Finished running generic part of root script.

Now product-specific root actions will be performed.

Finished product-specific root actions.

It may take a few hours (at least on a non-high end host machine) and then installation will finish.

Important Note: After installation is finished we reduced the SGA and PGA (from 10GB to 2GB). We are doing this since we are running on a VM and have allocated total 2.5 or 3 GB RAM only. This is not recommended for production installation but since this is only a demo/development installation, you can safely do this. If you wish to keep it 10GB you can do it but this will increase the swap usage exponentially.

Since we are reducing the size of SGA and PGA, next step (RCU) may fail in pre-requisite check. So we will need to change the pre-req check xml file to look for lower value. We will explain this in next post.

Next:  Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)

Installing Oracle Fusion Applications – steps

1. Installing Fusion Applications Provisioning Framework
   
2. Installing Oracle 11g Database (Applications Transactional Database)
   
3. Running Oracle Fusion Applications Repository Creation Utility (Applications RCU)
   
4. Creating another database for Oracle  Identity Management Infrastructure (optional)
   
5. Running Repository Creation Utility (RCU) for Oracle Identity Management components
6. Installing Oracle Identity and Access Management Components
   
7. Configuring Oracle Identity and Access Management components
   
8. Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
   
9. Creating a New Provisioning Plan
   
10. Provisioning an Applications Environment