Oracle Identity and Access Management Implementation

Oracle Identity and Access
Management Implementation
Ensuring a complete functional
installation
Prepared by:
Ken Ramey
Senior Consultant and Portfolio Manager
Centroid Systems
REMINDER
Check in on the COLLABORATE
mobile app
OID Installation and Configuration Topics
■ 
Repository Creation
▪  Creating the Database Schemas
■ 
Oracle Internet Directory Installation
▪  WebLogic Software
▪  OID Software
▪  JDK Requirements
■ 
Oracle Internet Directory Domain Creation and Configuration
▪ 
▪ 
▪ 
▪ 
▪ 
Running the configuration script
Creating a domain
Using staticports.ini
Starting the services
Boot.properties file
OAM Installation and Configuration
■ 
Oracle Access Manager Installation
▪  WebLogic Software
▪  OAM Software
▪  JDK Requirements
■ 
Oracle Access Manager Domain Creation and Configuration
▪ 
▪ 
▪ 
▪ 
Running the Configuration script
Creating the domain
Starting the services
Validating the installation
Integrating OID / OAM Single Sign On
■ 
■ 
■ 
■ 
■ 
■ 
OAM System Configuration
User Identity Store
Authentication Policies
OAM Agent
Creating OAM Host Identifiers
Creating OAM Application Domains
▪  Associating URLs to protect
■  Creating Authentication Scheme
Repository Creation
■  Requires the appropriate DB schemas to be preinstalled
■  Use the Repository Creation Assistant version that matches the
version of the Identity Management you are installing
■  Run on the DB server or ID Management server
■  Must have Sys or System privileges on the DB
■  Database should be on another server (but for demo purposes
can exist on the same box
■  11.1 or 11.2 database
Starting RCU
■  Run the RCU start script
Checking DB Prerequisites
If there are any failures,
update the database to
correct the problems
Select Schemas to Install
•  Choose the components to
be installed:
Oracle Internet Directory
•  Oracle Access Manager
•  Oracle Identity Manager
(optional)
•  Required schemas will
auto select
Choose a password, easiest
to choose the same password
for all schemas
Validate the schemas
Validate the Schemas and
Tablespaces.
If something is missing, go
back and choose it.
You can run this utility
multiple times if you need to
install a new component.
Validating Objects to be Created
All DB Objects Created
Install WebLogic Software for OID Domain
Note: the use of the Sun JDK.
OID will install, but you will be
unable to configure a domain if
Jrockit is used.
Note: Set the max heap size
for the command. Failure may
cause errors during
installation.
Create New Middleware Home
Create a new
Middleware_Home for this
installation. This will simplify
your environment if you have
other FMW applications on this
server.
Choose Installation Type
Choose Custom in order to
remove unneeded elements
Select Components
Deselect Evaluation DB and
Coherence. They are not
needed for OID
Choose JDK
If you set your PATH and
JAVA_HOME variables
before running the
installation, you will see the
Sun JDK is already
selected. You can select it
using Browse if you did not
set your environment.
USE Sun JDK!
Choose Product Install Directory
Installation Summary
Install OID Software
Once again, ensure the Sun
JDK is your JAVA_HOME
Install Continued
Choose Install – Do Not
Configure. We shall configure
in another step. At this point
we only wish to install the
software.
Prerequisite Checks
Prerequisite Check. Ensure
your operating system meets
the minimum prerequisites for
this install. You may need to
update some environment
settings to pass this. This
screen will tell you what has
failed.
Choose Middleware_Home
Ensure you choose the
correct Middleware_Home in
this step if you have multiple
homes on the same server.
Installation Summary
After the install is completed,
you will need to run the
specified file as root
Configure OID Domain
Run config.sh located in the
$ORACLE_HOME/bin
$ORACLE_HOME should be
set to
<MIDDLEWARE_HOME/
Oracle_IDM/
Note: There are other
config.sh files in
$ORACLE_HOME/common/
bin, and
$MIDDLEWARE_HOME/
common/bin
Do not run these as you will
get errors or be unable to
configure the correct Domain
components
Create a New Domain
Enter a value for the
weblogic user password
Choose Install Location
Again, ensure the correct
middleware_home directory
is chosen
Choose the Components to be Installed
Only choose the components
you need AND for which you
created the appropriate DB
Schemas.
Choose Clustered at this time
even if you do not plan to
cluster this instance right away.
Failure to do so will make it
quite difficult to cluster in the
future.
Port Configuration
Auto Configure will work fine if
this is the first FMW product
installed on the box.
Otherwise copy the
staticports.ini file from the
staging directory and update
the ports as shown in the
following slide.
Configure Ports Using staticports.ini
Edit staticports.ini as follows
[DOMAIN]
#This port indicates the Domain port number
Domain Port No = 7101
Node Manager Port No = 5557
Change the domain port no to 7101
or other port
Enter the security realm name
you wish to use
Enter the password for the
ORCLADMIN user
Enter OID Repository Connection Information
OID Security Realm
Enter Security Realm info for OID
Finishing Up
Validate Weblogic Domain
Create a boot.properties file.
The boot.properties file will
store an encrypted username
and password used to start
the Admin Server. (encrypts
the first time you start the
server). This allows you to
start the server in the
background.
Log into the Admin Console
using the weblogic user /
password
Connect to ODSM to Validate OID
Note the port is 3060. You
can change this to 389 using
the staticports.ini file during
the domain creation.
Validate the Security Realm
Install a New WebLogic instance
■  Repeat the installation of Weblogic Software
■  Use JRockit JDK for this one (suggested for production
environments)
▪  OID required Sun, OAM can use either one, but Oracle feels that
JRockit has better memory management.
■  Choose a Middleware_Home name such as IAMMiddleware to
keep it separate from OID and other application homes
■  Using a separate Middleware_Home will simplify upgrades and
management. If you require an OAM upgrade but are not ready
to upgrade OID, you can preform them on separate homes. This
also simplifies management if you decide to move OID to a
different server.
Install Identity and Access Management
Software
Run the installer specifying
the jreLoc as the location of
your chosen JDK JRE
OAM Prerequisites
Prerequisite Check. Again,
ensure all prerequisites are
met before continuing
Choose Middleware Home
Choose the middleware home
you just installed
(IAMMiddleware)
Installation Summary
Install SOA
This is only necessary if you
plan to use Oracle Identity
Manager
Prerequisite Checks
Installation Location
Installation Summary
Configure the OAM Domain
This time use the config.sh
located in the new
ORACLE_HOME/common/bin
Create a new Weblogic Domain
Select the desired
components. Required
components will be chosen
automatically
Specify Domain Information
Specify Domain Admin User
Specify Weblogic Startup Mode
Specify the mode to install
weblogic.
Development mode does not
require a password to start the
weblogic server and does not
require admins to lock the
configuration for edits.
Production mode requires a
password to start the weblogic
admin console and admins
must lock the configuration in
order to make edits.
Configure Database Connection Information
Test Database Configuration
Select Components to Configure Within Domain
Choose Admin Server,
Managed Servers Clusters, and
Machines
Admin Server Configuration
Update the port to one that is
free on the server
Configure Managed Servers
Managed Servers are the
server processes that each
process runs within
Configure a Cluster if Desired
Configure Machines
Machines are used by the node
manager to determine which
server process to start. This is
especially useful when
configuring a clustered
environment. The node
manager can communicate with
both nodes.
Note if installing on a linux
server, choose Unix Machine
Assign Managed Servers to Machines
If clustered, you would have
oam_server1 and
oam_server2. These would be
assigned to different machines
Configuration Summary
Validate WebLogic Domain
Open the new weblogic console
Note OAM_Server is not yet
running
Start the OAM Server
Start the oam_server using startManagedWebLogic.sh oam_server1
OAM Server Running
Go back to the admin console
to validate the oam_server has
started.
Validate OAM Server
OAM Console should be located
at:
http://hostname:<adminPort>/
oamconsole
OAM is Validated
Environment Configuration
■  Create Users and Groups in OID
■  Configure OAM Weblogic domain to use OID
■  Integrate OID and OAM
▪  Register OID as the Identity Store for OAM
▪  Designate OID as the System Store
▪  Set the LDAP Authentication Module
■  Configure OHS / WebGate
■  Configure UCM WebLogic instance for OID Authenticator
Create Admin Group in OID
Navigate to Groups
Right Click and select “Create”
Group Creation
Group Creation
Create Admin User
Expand Users, right click and
select Create
Create Admin User
Create User with at least
InetOrgPerson Obect Class
Name the user oamadmin
Additional Atrributes for User
Click the Green Plus under
Optional Attributes
Add UID and userPassword
Add New User to Group
Configure OAM Weblogic to Use OID
Navigate to WebLogic
Admin Console ->
Security Realms ->
MyRealm -> Providers
Click New
Create OID Authentication Provider
Enter a name and select
OracleInternetDirectoryAuthenticator
Click OK
Configure Authenticator by clicking the new
authenticator after you return to the
providers screen.
Set Control Flag to “Sufficient”
Click Save, then select the Provider
Specific Tab
Continued
Enter the following information
Host – OID host
Port – OID Port (389 or 3060
depending on what you chose
during installation
Principal – cn=orcladmin
Credential – orcladmin password
Repeat Password
Scroll down and update User and
Group Base DN information to
match your realm
Click Save
Return to the Providers Page
Reorder the Providers
Set the OID_Authenticators to
be first
Set the Default Authenticator
control flag to Sufficient
Save, Activate Changes and
Restart WebLogic and OAM
from the Server Administration
Register OID as the OAM Identity Store
Log into OAM Console via:
http://host:port/oamconsole
Log in using the weblogic
user.
Create a New Identity Store
Navigate to the “System
Configuration” Tab
Select “Data Sources” ->
“User Identity Stores”
Click the Create button at
the top of the menu.
Enter Identity Store Details
Provide a descriptive name
Choose OID as the Store Type
Enter host:port for the Location
Provide bind DN as cn=orcladmin
Provide password
Provide the user search base
Provide the group search base
Click Test Connection
Click apply
Designate the New Store as the System Store
Navigate to the new
OIDIdentityStore1
Check the box next to Set as
system store
Add the oamadmin_group as
the administrators
Click Test Connection
Click Apply
You will need to enter the
username / password of a
user in the admin group.
Configure the LDAP Authentication Module
Navigate to Access Manager
Settings
Expand Authentication Modules
Expand LDAP Authentication
Modules
LDAP
Choose OIDIdStore1 from the
dropdown
Click Apply
Close the browser and reopen
oamconsole. Log in as the
oamadmin user.
Install OHS
OHS is utilized as a web server (apache) to front FMW applications
Directory structure is similar to Apache (htdocs, httpd.conf, etc)
Uses MOD_WL_OHS to integrate with WebLogic deployed applications
Uses Oracle WebGate to integrate OAM with WebLogic Applications
OHS Installation Starting
Easier to use Install and
Configure
Default installation will
provide a working Web
Server already configured
Runs on port 7777 by
default
Prerequisites
Correct any and all failed
checks
Middleware Home
You can install in an existing
Middleware Home
It is common practice to install
the web server in the DMZ or on
a separate server. For
Development it is ok to run on
the same server
Components
If WebCache is required,
ensure the option is checked.
Instance Home
Default location is under
Oracle_WT1
Ports
By default, OHS will use port
7777
If you have a loadbalancer or
firewall, you can direct 80/443
requests to this port
Oracle has instructions to
configure OHS to use ports 80
and 443
Install Summary
Installation Progress
Auto Configuration Summary
Installation Complete
Testing OHS
Install WebGate
Oracle WebGate is required for integration of FMW applications and OAM
Provides the mechanism that listens for specified URLs and forwards to OAM for
authentication
Welcome Screen
Prerequisite Checks
Correct any and all failed
checks
Install Location
Use the OHS installation
directory from the previous
step
By default this will create a
directory
Oracle_OAMMiddleware1
Progress
Install Complete
Modify mod_wl_ohs.conf
Located in the OHS instance directory
httpd.conf
Mod_wl_ohs ensures that OHS forwards URL requests to the proper FMW port
Define locations and the WebLogic host and port.
One OHS instance can support multiple WebLogic domains and instances.
Deploy WebGate
./deployWebgateInstance.sh -w <Webgate_Instance_Directory> -oh
<Webgate_Oracle_Home>
This script creates the necessary webgate directories within the OHS instance
directory
Deploy WebGate
Set the LD_LIBRARY_PATH to include the OHS libraries
The EditHttpConf script updates the httpd.conf file to include the calls to webgate.
Create an OAM Agent
Agent Creation
Name it appropriately
Choose Open / Simple or Cert
(Open should not be used in
Production Environments
Add the /adfauthentication and /cs
URL patterns that we added to
mod_wl_ohs.conf previously
Click Apply
Agent Creation Summary
Make note of the Artifacts location
shown in the confirmation.
We will be copying these artifacts
to the WebGate instance
Copying Artifacts
■  File: ObAccessClient.xml
■  Destination: <OHS_Home>/instances/<webtierInstance>/config/
OHS/<ohsInstance>/webgate/config
■  File: cwallet.sso
■  Destination: <OHS_Home>/instances/<webtierInstance>/config/
OHS/<ohsInstance>/webgate/config
Configure UCM WebLogic Domain to Use OAM
Navigate to the WebLogic
admin Console
Click Security Realms
Choose My Realm
Create an OAM Identity Asserter
Create the OID Authenticator
Provider Order
OAMIdentityAsserter
OIDAuthenticator
DefaultAuthenticator
DefaultIdentityAsserter
OAM Identity Asserter Configuration
Control Flag must be
set to Required
Configure OID Authenticator
Set to Sufficient
Enter OID Authenticator Configuration Details
Same configuration
from when we did the
OAM Domain
previously
Configuring the Domain to Use OAM
WLST Script
WLST script must be entered exactly as below.
addOAMSSOProvider(loginuri="/${app.context}/
adfAuthentication",logouturi="/oamsso/
logout.html",autologinuri="/obrar.cgi")
Completed and Next Steps
•  Restart all WebLogic components
•  Navigate to UCM and log in. You should now be presented with the OAM
login screen instead of the normal WebCenter login screen
•  Your basic installation and configuration is complete
•  Create a custom login screen
•  Create a logout screen
•  Integrate other applications
Please complete the session
evaluation on the mobile app
We appreciate your feedback and insight
This box will have simplified instructions about how
to complete the session evaluation online

Download Report