REMINDER

Check in on the COLLABORATE mobile app

Oracle Identity and Access Management Implementation

Prepared by: Ken Ramey Senior Consultant and Portfolio Manager Centroid Systems

Ensuring a complete functional installation

■  Repository Creation

▪  Creating the Database Schemas ■  Oracle Internet Directory Installation

▪  WebLogic Software ▪  OID Software ▪  JDK Requirements

■  Oracle Internet Directory Domain Creation and Configuration

▪  Running the configuration script ▪  Creating a domain ▪  Using staticports.ini ▪  Starting the services ▪  Boot.properties file

OID Installation and Configuration Topics

■  Oracle Access Manager Installation

▪  WebLogic Software ▪  OAM Software ▪  JDK Requirements

■  Oracle Access Manager Domain Creation and Configuration

▪  Running the Configuration script ▪  Creating the domain ▪  Starting the services ▪  Validating the installation

OAM Installation and Configuration

■  OAM System Configuration ■  User Identity Store ■  Authentication Policies ■  OAM Agent ■  Creating OAM Host Identifiers ■  Creating OAM Application Domains

▪  Associating URLs to protect ■  Creating Authentication Scheme

Integrating OID / OAM Single Sign On

■  Requires the appropriate DB schemas to be preinstalled ■  Use the Repository Creation Assistant version that matches the

version of the Identity Management you are installing ■  Run on the DB server or ID Management server ■  Must have Sys or System privileges on the DB

■  Database should be on another server (but for demo purposes can exist on the same box

■  11.1 or 11.2 database

Repository Creation

■  Run the RCU start script

Starting RCU

Checking DB Prerequisites

If there are any failures, update the database to correct the problems

Select Schemas to Install

•  Choose the components to be installed: Oracle Internet Directory

•  Oracle Access Manager •  Oracle Identity Manager

(optional) •  Required schemas will

auto select

Choose a password, easiest to choose the same password for all schemas

Validate the schemas

Validate the Schemas and Tablespaces. If something is missing, go back and choose it. You can run this utility multiple times if you need to install a new component.

Validating Objects to be Created

All DB Objects Created

Install WebLogic Software for OID Domain

Note: the use of the Sun JDK. OID will install, but you will be unable to configure a domain if Jrockit is used. Note: Set the max heap size for the command. Failure may cause errors during installation.

Create New Middleware Home

Create a new Middleware_Home for this installation. This will simplify your environment if you have other FMW applications on this server.

Choose Installation Type

Choose Custom in order to remove unneeded elements

Select Components

Deselect Evaluation DB and Coherence. They are not needed for OID

Choose JDK

If you set your PATH and JAVA_HOME variables before running the installation, you will see the Sun JDK is already selected. You can select it using Browse if you did not set your environment. USE Sun JDK!

Choose Product Install Directory

Installation Summary

Install OID Software

Once again, ensure the Sun JDK is your JAVA_HOME

Install Continued

Choose Install – Do Not Configure. We shall configure in another step. At this point we only wish to install the software.

Prerequisite Checks

Prerequisite Check. Ensure your operating system meets the minimum prerequisites for this install. You may need to update some environment settings to pass this. This screen will tell you what has failed.

Choose Middleware_Home

Ensure you choose the correct Middleware_Home in this step if you have multiple homes on the same server.

Installation Summary

After the install is completed, you will need to run the specified file as root

Configure OID Domain

Run config.sh located in the $ORACLE_HOME/bin $ORACLE_HOME should be set to <MIDDLEWARE_HOME/Oracle_IDM/ Note: There are other config.sh files in $ORACLE_HOME/common/bin, and $MIDDLEWARE_HOME/common/bin Do not run these as you will get errors or be unable to configure the correct Domain components

Create a New Domain

Enter a value for the weblogic user password

Choose Install Location

Again, ensure the correct middleware_home directory is chosen

Choose the Components to be Installed

Only choose the components you need AND for which you created the appropriate DB Schemas. Choose Clustered at this time even if you do not plan to cluster this instance right away. Failure to do so will make it quite difficult to cluster in the future.

Port Configuration

Auto Configure will work fine if this is the first FMW product installed on the box. Otherwise copy the staticports.ini file from the staging directory and update the ports as shown in the following slide.

Configure Ports Using staticports.ini

Edit staticports.ini as follows [DOMAIN] #This port indicates the Domain port number Domain Port No = 7101 Node Manager Port No = 5557

Change the domain port no to 7101 or other port

Enter the security realm name you wish to use Enter the password for the ORCLADMIN user

Enter OID Repository Connection Information

OID Security Realm

Enter Security Realm info for OID

Finishing Up

Validate Weblogic Domain

Create a boot.properties file. The boot.properties file will

store an encrypted username and password used to start the Admin Server. (encrypts the first time you start the server). This allows you to start the server in the background.

Log into the Admin Console using the weblogic user / password

Connect to ODSM to Validate OID

Note the port is 3060. You can change this to 389 using the staticports.ini file during the domain creation.

Validate the Security Realm

■  Repeat the installation of Weblogic Software ■  Use JRockit JDK for this one (suggested for production

environments) ▪  OID required Sun, OAM can use either one, but Oracle feels that

JRockit has better memory management. ■  Choose a Middleware_Home name such as IAMMiddleware to

keep it separate from OID and other application homes ■  Using a separate Middleware_Home will simplify upgrades and

management. If you require an OAM upgrade but are not ready to upgrade OID, you can preform them on separate homes. This also simplifies management if you decide to move OID to a different server.

Install a New WebLogic instance

Install Identity and Access Management Software

Run the installer specifying the jreLoc as the location of your chosen JDK JRE

OAM Prerequisites

Prerequisite Check. Again, ensure all prerequisites are met before continuing

Choose Middleware Home

Choose the middleware home you just installed (IAMMiddleware)

Installation Summary

Install SOA

This is only necessary if you plan to use Oracle Identity Manager

Prerequisite Checks

Installation Location

Installation Summary

Configure the OAM Domain

This time use the config.sh located in the new ORACLE_HOME/common/bin

Create a new Weblogic Domain

Select the desired components. Required components will be chosen automatically

Specify Domain Information

Specify Domain Admin User

Specify Weblogic Startup Mode

Specify the mode to install weblogic. Development mode does not require a password to start the weblogic server and does not require admins to lock the configuration for edits. Production mode requires a password to start the weblogic admin console and admins must lock the configuration in order to make edits.

Configure Database Connection Information

Test Database Configuration

Select Components to Configure Within Domain

Choose Admin Server, Managed Servers Clusters, and Machines

Admin Server Configuration

Update the port to one that is free on the server

Configure Managed Servers

Managed Servers are the server processes that each process runs within

Configure a Cluster if Desired

Configure Machines

Machines are used by the node manager to determine which server process to start. This is especially useful when configuring a clustered environment. The node manager can communicate with both nodes. Note if installing on a linux server, choose Unix Machine

Assign Managed Servers to Machines

If clustered, you would have oam_server1 and oam_server2. These would be assigned to different machines

Configuration Summary

Validate WebLogic Domain

Open the new weblogic console Note OAM_Server is not yet running

Start the OAM Server

Start the oam_server using startManagedWebLogic.sh oam_server1

OAM Server Running

Go back to the admin console to validate the oam_server has started.

Validate OAM Server

OAM Console should be located at: http://hostname:<adminPort>/oamconsole

OAM is Validated

■  Create Users and Groups in OID ■  Configure OAM Weblogic domain to use OID ■  Integrate OID and OAM

▪  Register OID as the Identity Store for OAM ▪  Designate OID as the System Store ▪  Set the LDAP Authentication Module

■  Configure OHS / WebGate ■  Configure UCM WebLogic instance for OID Authenticator

Environment Configuration

Create Admin Group in OID

Navigate to Groups Right Click and select “Create”

Group Creation

Group Creation

Create Admin User

Expand Users, right click and select Create

Create Admin User

Create User with at least InetOrgPerson Obect Class Name the user oamadmin

Additional Atrributes for User

Click the Green Plus under Optional Attributes Add UID and userPassword

Add New User to Group

Configure OAM Weblogic to Use OID

Navigate to WebLogic Admin Console -> Security Realms -> MyRealm -> Providers Click New

Create OID Authentication Provider

Enter a name and select OracleInternetDirectoryAuthenticator Click OK Configure Authenticator by clicking the new authenticator after you return to the providers screen. Set Control Flag to “Sufficient” Click Save, then select the Provider Specific Tab

Continued

Enter the following information Host – OID host Port – OID Port (389 or 3060 depending on what you chose during installation Principal – cn=orcladmin Credential – orcladmin password Repeat Password Scroll down and update User and Group Base DN information to match your realm Click Save Return to the Providers Page

Reorder the Providers

Set the OID_Authenticators to be first Set the Default Authenticator control flag to Sufficient Save, Activate Changes and Restart WebLogic and OAM from the Server Administration

Register OID as the OAM Identity Store

Log into OAM Console via: http://host:port/oamconsole Log in using the weblogic user.

Create a New Identity Store

Navigate to the “System Configuration” Tab Select “Data Sources” -> “User Identity Stores” Click the Create button at the top of the menu.

Enter Identity Store Details

Provide a descriptive name Choose OID as the Store Type Enter host:port for the Location Provide bind DN as cn=orcladmin Provide password Provide the user search base Provide the group search base Click Test Connection Click apply

Designate the New Store as the System Store

Navigate to the new OIDIdentityStore1 Check the box next to Set as system store Add the oamadmin_group as the administrators Click Test Connection Click Apply You will need to enter the username / password of a user in the admin group.

Configure the LDAP Authentication Module

Navigate to Access Manager Settings Expand Authentication Modules Expand LDAP Authentication Modules LDAP Choose OIDIdStore1 from the dropdown Click Apply Close the browser and reopen oamconsole. Log in as the oamadmin user.

Install OHS

OHS is utilized as a web server (apache) to front FMW applications Directory structure is similar to Apache (htdocs, httpd.conf, etc) Uses MOD_WL_OHS to integrate with WebLogic deployed applications Uses Oracle WebGate to integrate OAM with WebLogic Applications

OHS Installation Starting

Easier to use Install and Configure Default installation will provide a working Web Server already configured Runs on port 7777 by default

Prerequisites

Correct any and all failed checks

Middleware Home

You can install in an existing Middleware Home It is common practice to install the web server in the DMZ or on a separate server. For Development it is ok to run on the same server

Components

If WebCache is required, ensure the option is checked.

Instance Home

Default location is under Oracle_WT1

Ports

By default, OHS will use port 7777 If you have a loadbalancer or firewall, you can direct 80/443 requests to this port Oracle has instructions to configure OHS to use ports 80 and 443

Install Summary

Installation Progress

Auto Configuration Summary

Installation Complete

Testing OHS

Install WebGate

Oracle WebGate is required for integration of FMW applications and OAM Provides the mechanism that listens for specified URLs and forwards to OAM for authentication

Welcome Screen

Prerequisite Checks

Correct any and all failed checks

Install Location

Use the OHS installation directory from the previous step By default this will create a directory Oracle_OAMMiddleware1

Progress

Install Complete

Modify mod_wl_ohs.conf

Located in the OHS instance directory

httpd.conf

Mod_wl_ohs ensures that OHS forwards URL requests to the proper FMW port Define locations and the WebLogic host and port. One OHS instance can support multiple WebLogic domains and instances.

Deploy WebGate

./deployWebgateInstance.sh -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home> This script creates the necessary webgate directories within the OHS instance directory

Deploy WebGate

Set the LD_LIBRARY_PATH to include the OHS libraries

The EditHttpConf script updates the httpd.conf file to include the calls to webgate.

Create an OAM Agent

Agent Creation

Name it appropriately Choose Open / Simple or Cert (Open should not be used in Production Environments Add the /adfauthentication and /cs URL patterns that we added to mod_wl_ohs.conf previously Click Apply

Agent Creation Summary

Make note of the Artifacts location shown in the confirmation. We will be copying these artifacts to the WebGate instance

■  File: ObAccessClient.xml ■  Destination: <OHS_Home>/instances/<webtierInstance>/config/

OHS/<ohsInstance>/webgate/config

■  File: cwallet.sso ■  Destination: <OHS_Home>/instances/<webtierInstance>/config/

OHS/<ohsInstance>/webgate/config

Copying Artifacts

Configure UCM WebLogic Domain to Use OAM

Navigate to the WebLogic admin Console Click Security Realms Choose My Realm

Create an OAM Identity Asserter

Create the OID Authenticator

Provider Order

OAMIdentityAsserter OIDAuthenticator DefaultAuthenticator DefaultIdentityAsserter

OAM Identity Asserter Configuration

Control Flag must be set to Required

Configure OID Authenticator

Set to Sufficient

Enter OID Authenticator Configuration Details

Same configuration from when we did the OAM Domain previously

Configuring the Domain to Use OAM

WLST script must be entered exactly as below. addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html",autologinuri="/obrar.cgi")

WLST Script

Completed and Next Steps

•  Restart all WebLogic components •  Navigate to UCM and log in. You should now be presented with the OAM

login screen instead of the normal WebCenter login screen •  Your basic installation and configuration is complete

•  Create a custom login screen •  Create a logout screen •  Integrate other applications

Please complete the session evaluation on the mobile app We appreciate your feedback and insight

This box will have simplified instructions about how to complete the session evaluation online