Oracle Identity and Access Management … Identity and Access Management Implementation Prepared by:...
-
Upload
phungnguyet -
Category
Documents
-
view
234 -
download
5
Transcript of Oracle Identity and Access Management … Identity and Access Management Implementation Prepared by:...
REMINDER
Check in on the COLLABORATE mobile app
Oracle Identity and Access Management Implementation
Prepared by: Ken Ramey Senior Consultant and Portfolio Manager Centroid Systems
Ensuring a complete functional installation
■ Repository Creation
▪ Creating the Database Schemas ■ Oracle Internet Directory Installation
▪ WebLogic Software ▪ OID Software ▪ JDK Requirements
■ Oracle Internet Directory Domain Creation and Configuration
▪ Running the configuration script ▪ Creating a domain ▪ Using staticports.ini ▪ Starting the services ▪ Boot.properties file
OID Installation and Configuration Topics
■ Oracle Access Manager Installation
▪ WebLogic Software ▪ OAM Software ▪ JDK Requirements
■ Oracle Access Manager Domain Creation and Configuration
▪ Running the Configuration script ▪ Creating the domain ▪ Starting the services ▪ Validating the installation
OAM Installation and Configuration
■ OAM System Configuration ■ User Identity Store ■ Authentication Policies ■ OAM Agent ■ Creating OAM Host Identifiers ■ Creating OAM Application Domains
▪ Associating URLs to protect ■ Creating Authentication Scheme
Integrating OID / OAM Single Sign On
■ Requires the appropriate DB schemas to be preinstalled ■ Use the Repository Creation Assistant version that matches the
version of the Identity Management you are installing ■ Run on the DB server or ID Management server ■ Must have Sys or System privileges on the DB
■ Database should be on another server (but for demo purposes can exist on the same box
■ 11.1 or 11.2 database
Repository Creation
■ Run the RCU start script
Starting RCU
Checking DB Prerequisites
If there are any failures, update the database to correct the problems
Select Schemas to Install
• Choose the components to be installed: Oracle Internet Directory
• Oracle Access Manager • Oracle Identity Manager
(optional) • Required schemas will
auto select
Choose a password, easiest to choose the same password for all schemas
Validate the schemas
Validate the Schemas and Tablespaces. If something is missing, go back and choose it. You can run this utility multiple times if you need to install a new component.
Validating Objects to be Created
All DB Objects Created
Install WebLogic Software for OID Domain
Note: the use of the Sun JDK. OID will install, but you will be unable to configure a domain if Jrockit is used. Note: Set the max heap size for the command. Failure may cause errors during installation.
Create New Middleware Home
Create a new Middleware_Home for this installation. This will simplify your environment if you have other FMW applications on this server.
Choose Installation Type
Choose Custom in order to remove unneeded elements
Select Components
Deselect Evaluation DB and Coherence. They are not needed for OID
Choose JDK
If you set your PATH and JAVA_HOME variables before running the installation, you will see the Sun JDK is already selected. You can select it using Browse if you did not set your environment. USE Sun JDK!
Choose Product Install Directory
Installation Summary
Install OID Software
Once again, ensure the Sun JDK is your JAVA_HOME
Install Continued
Choose Install – Do Not Configure. We shall configure in another step. At this point we only wish to install the software.
Prerequisite Checks
Prerequisite Check. Ensure your operating system meets the minimum prerequisites for this install. You may need to update some environment settings to pass this. This screen will tell you what has failed.
Choose Middleware_Home
Ensure you choose the correct Middleware_Home in this step if you have multiple homes on the same server.
Installation Summary
After the install is completed, you will need to run the specified file as root
Configure OID Domain
Run config.sh located in the $ORACLE_HOME/bin $ORACLE_HOME should be set to <MIDDLEWARE_HOME/Oracle_IDM/ Note: There are other config.sh files in $ORACLE_HOME/common/bin, and $MIDDLEWARE_HOME/common/bin Do not run these as you will get errors or be unable to configure the correct Domain components
Create a New Domain
Enter a value for the weblogic user password
Choose Install Location
Again, ensure the correct middleware_home directory is chosen
Choose the Components to be Installed
Only choose the components you need AND for which you created the appropriate DB Schemas. Choose Clustered at this time even if you do not plan to cluster this instance right away. Failure to do so will make it quite difficult to cluster in the future.
Port Configuration
Auto Configure will work fine if this is the first FMW product installed on the box. Otherwise copy the staticports.ini file from the staging directory and update the ports as shown in the following slide.
Configure Ports Using staticports.ini
Edit staticports.ini as follows [DOMAIN] #This port indicates the Domain port number Domain Port No = 7101 Node Manager Port No = 5557
Change the domain port no to 7101 or other port
Enter the security realm name you wish to use Enter the password for the ORCLADMIN user
Enter OID Repository Connection Information
OID Security Realm
Enter Security Realm info for OID
Finishing Up
Validate Weblogic Domain
Create a boot.properties file. The boot.properties file will
store an encrypted username and password used to start the Admin Server. (encrypts the first time you start the server). This allows you to start the server in the background.
Log into the Admin Console using the weblogic user / password
Connect to ODSM to Validate OID
Note the port is 3060. You can change this to 389 using the staticports.ini file during the domain creation.
Validate the Security Realm
■ Repeat the installation of Weblogic Software ■ Use JRockit JDK for this one (suggested for production
environments) ▪ OID required Sun, OAM can use either one, but Oracle feels that
JRockit has better memory management. ■ Choose a Middleware_Home name such as IAMMiddleware to
keep it separate from OID and other application homes ■ Using a separate Middleware_Home will simplify upgrades and
management. If you require an OAM upgrade but are not ready to upgrade OID, you can preform them on separate homes. This also simplifies management if you decide to move OID to a different server.
Install a New WebLogic instance
Install Identity and Access Management Software
Run the installer specifying the jreLoc as the location of your chosen JDK JRE
OAM Prerequisites
Prerequisite Check. Again, ensure all prerequisites are met before continuing
Choose Middleware Home
Choose the middleware home you just installed (IAMMiddleware)
Installation Summary
Install SOA
This is only necessary if you plan to use Oracle Identity Manager
Prerequisite Checks
Installation Location
Installation Summary
Configure the OAM Domain
This time use the config.sh located in the new ORACLE_HOME/common/bin
Create a new Weblogic Domain
Select the desired components. Required components will be chosen automatically
Specify Domain Information
Specify Domain Admin User
Specify Weblogic Startup Mode
Specify the mode to install weblogic. Development mode does not require a password to start the weblogic server and does not require admins to lock the configuration for edits. Production mode requires a password to start the weblogic admin console and admins must lock the configuration in order to make edits.
Configure Database Connection Information
Test Database Configuration
Select Components to Configure Within Domain
Choose Admin Server, Managed Servers Clusters, and Machines
Admin Server Configuration
Update the port to one that is free on the server
Configure Managed Servers
Managed Servers are the server processes that each process runs within
Configure a Cluster if Desired
Configure Machines
Machines are used by the node manager to determine which server process to start. This is especially useful when configuring a clustered environment. The node manager can communicate with both nodes. Note if installing on a linux server, choose Unix Machine
Assign Managed Servers to Machines
If clustered, you would have oam_server1 and oam_server2. These would be assigned to different machines
Configuration Summary
Validate WebLogic Domain
Open the new weblogic console Note OAM_Server is not yet running
Start the OAM Server
Start the oam_server using startManagedWebLogic.sh oam_server1
OAM Server Running
Go back to the admin console to validate the oam_server has started.
Validate OAM Server
OAM Console should be located at: http://hostname:<adminPort>/oamconsole
OAM is Validated
■ Create Users and Groups in OID ■ Configure OAM Weblogic domain to use OID ■ Integrate OID and OAM
▪ Register OID as the Identity Store for OAM ▪ Designate OID as the System Store ▪ Set the LDAP Authentication Module
■ Configure OHS / WebGate ■ Configure UCM WebLogic instance for OID Authenticator
Environment Configuration
Create Admin Group in OID
Navigate to Groups Right Click and select “Create”
Group Creation
Group Creation
Create Admin User
Expand Users, right click and select Create
Create Admin User
Create User with at least InetOrgPerson Obect Class Name the user oamadmin
Additional Atrributes for User
Click the Green Plus under Optional Attributes Add UID and userPassword
Add New User to Group
Configure OAM Weblogic to Use OID
Navigate to WebLogic Admin Console -> Security Realms -> MyRealm -> Providers Click New
Create OID Authentication Provider
Enter a name and select OracleInternetDirectoryAuthenticator Click OK Configure Authenticator by clicking the new authenticator after you return to the providers screen. Set Control Flag to “Sufficient” Click Save, then select the Provider Specific Tab
Continued
Enter the following information Host – OID host Port – OID Port (389 or 3060 depending on what you chose during installation Principal – cn=orcladmin Credential – orcladmin password Repeat Password Scroll down and update User and Group Base DN information to match your realm Click Save Return to the Providers Page
Reorder the Providers
Set the OID_Authenticators to be first Set the Default Authenticator control flag to Sufficient Save, Activate Changes and Restart WebLogic and OAM from the Server Administration
Register OID as the OAM Identity Store
Log into OAM Console via: http://host:port/oamconsole Log in using the weblogic user.
Create a New Identity Store
Navigate to the “System Configuration” Tab Select “Data Sources” -> “User Identity Stores” Click the Create button at the top of the menu.
Enter Identity Store Details
Provide a descriptive name Choose OID as the Store Type Enter host:port for the Location Provide bind DN as cn=orcladmin Provide password Provide the user search base Provide the group search base Click Test Connection Click apply
Designate the New Store as the System Store
Navigate to the new OIDIdentityStore1 Check the box next to Set as system store Add the oamadmin_group as the administrators Click Test Connection Click Apply You will need to enter the username / password of a user in the admin group.
Configure the LDAP Authentication Module
Navigate to Access Manager Settings Expand Authentication Modules Expand LDAP Authentication Modules LDAP Choose OIDIdStore1 from the dropdown Click Apply Close the browser and reopen oamconsole. Log in as the oamadmin user.
Install OHS
OHS is utilized as a web server (apache) to front FMW applications Directory structure is similar to Apache (htdocs, httpd.conf, etc) Uses MOD_WL_OHS to integrate with WebLogic deployed applications Uses Oracle WebGate to integrate OAM with WebLogic Applications
OHS Installation Starting
Easier to use Install and Configure Default installation will provide a working Web Server already configured Runs on port 7777 by default
Prerequisites
Correct any and all failed checks
Middleware Home
You can install in an existing Middleware Home It is common practice to install the web server in the DMZ or on a separate server. For Development it is ok to run on the same server
Components
If WebCache is required, ensure the option is checked.
Instance Home
Default location is under Oracle_WT1
Ports
By default, OHS will use port 7777 If you have a loadbalancer or firewall, you can direct 80/443 requests to this port Oracle has instructions to configure OHS to use ports 80 and 443
Install Summary
Installation Progress
Auto Configuration Summary
Installation Complete
Testing OHS
Install WebGate
Oracle WebGate is required for integration of FMW applications and OAM Provides the mechanism that listens for specified URLs and forwards to OAM for authentication
Welcome Screen
Prerequisite Checks
Correct any and all failed checks
Install Location
Use the OHS installation directory from the previous step By default this will create a directory Oracle_OAMMiddleware1
Progress
Install Complete
Modify mod_wl_ohs.conf
Located in the OHS instance directory
httpd.conf
Mod_wl_ohs ensures that OHS forwards URL requests to the proper FMW port Define locations and the WebLogic host and port. One OHS instance can support multiple WebLogic domains and instances.
Deploy WebGate
./deployWebgateInstance.sh -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home> This script creates the necessary webgate directories within the OHS instance directory
Deploy WebGate
Set the LD_LIBRARY_PATH to include the OHS libraries
The EditHttpConf script updates the httpd.conf file to include the calls to webgate.
Create an OAM Agent
Agent Creation
Name it appropriately Choose Open / Simple or Cert (Open should not be used in Production Environments Add the /adfauthentication and /cs URL patterns that we added to mod_wl_ohs.conf previously Click Apply
Agent Creation Summary
Make note of the Artifacts location shown in the confirmation. We will be copying these artifacts to the WebGate instance
■ File: ObAccessClient.xml ■ Destination: <OHS_Home>/instances/<webtierInstance>/config/
OHS/<ohsInstance>/webgate/config
■ File: cwallet.sso ■ Destination: <OHS_Home>/instances/<webtierInstance>/config/
OHS/<ohsInstance>/webgate/config
Copying Artifacts
Configure UCM WebLogic Domain to Use OAM
Navigate to the WebLogic admin Console Click Security Realms Choose My Realm
Create an OAM Identity Asserter
Create the OID Authenticator
Provider Order
OAMIdentityAsserter OIDAuthenticator DefaultAuthenticator DefaultIdentityAsserter
OAM Identity Asserter Configuration
Control Flag must be set to Required
Configure OID Authenticator
Set to Sufficient
Enter OID Authenticator Configuration Details
Same configuration from when we did the OAM Domain previously
Configuring the Domain to Use OAM
WLST script must be entered exactly as below. addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html",autologinuri="/obrar.cgi")
WLST Script
Completed and Next Steps
• Restart all WebLogic components • Navigate to UCM and log in. You should now be presented with the OAM
login screen instead of the normal WebCenter login screen • Your basic installation and configuration is complete
• Create a custom login screen • Create a logout screen • Integrate other applications
Please complete the session evaluation on the mobile app We appreciate your feedback and insight
This box will have simplified instructions about how to complete the session evaluation online