OIG : Integrating Identity Manager and Identity Analytics

Setup for OBE : Oracle Identity Governance : Integrating Identity Manager and Identity Analytics

System requirements

Oracle Enterprise Linux 5.7

Install Database

  1. Obtain RDBMS
  2. Install database software, choosing to install the database software only.
  3. Using NETCA, create a listener on the default port of 1521.
  4. Using DBCA, create a database. Choose the default options, except for the following:
    1. Global database name : orcl
    2. SID : orcl
    3. do not configure Enterprise Manager
    4. Use same administrative password for all accounts : Welcome1
    5. Typical memory : 1536MB
    6. Select “Use Automatic Memory Management”
    7. Character sets : select “AL32UTF8”
  5. At a terminal, start sqlplus as sys and set the following DB parameters:
    $ sys/Welcome1@localhost/orcl as sysdba
    SQL> alter system set session_cached_cursors=100 scope=spfile;
    SQL> alter system set processes=500 scope=spfile;
    SQL> shutdown immediate;
    SQL> startup;
    SQL> alter system set aq_tm_processes=1 scope=both;
    SQL> alter system set db_cache_size=150994944 scope=both;
    SQL> alter system set java_pool_size=125829120 scope=both;
    SQL> alter system set shared_pool_size=183500800 scope=both;
    SQL> alter system set open_cursors=800 scope=both;
    SQL> quit

Run Repository Creation Utility (RCU)

  1. Obtain RCU for Identity Management (V37476-01.zip).
  2. Create schemas, choosing the defaults options except for the following:
    1. Host name : localhost
    2. Port : 1521
    3. Service Name : orcl
    4. Username : sys
    5. Password : Welcome1
    6. Create a new Prefix : DEV
    7. Select the components : Oracle Identity Manager (SOA, MDS, OPSS are then also selected as dependencies)
    8. Use same password for all schemas : Welcome1

Install JDK

  1. Obtain JDK jdk-6u43-linux-x64.bin
  2. As the root user:
    mkdir /usr/jdk
    cd /usr/jdk
  3. Add the following to the .bash_profile of the oracle user
    export JAVA_HOME
    export PATH

Install WebLogic Server 10.3.6

  1. Obtain wls1036_generic.jar
  2. Run the WLS installer (java -jar /path/to/wls1036_generic.jar), choosing the defaults except for the following:
    1. Create a new Middleware Home : /u01/app/Oracle/Middleware
    2. skip security updates
    3. choose the available JDK /usr/jdk/jdk1.6.0_43
    4. Don’t run Quickstart

Install SOA Server

  1. Obtain V29672-01
  2. Install into /u01/app/Oracle/Middleware, choosing the defaults except for the following:
    1. skip security updates

Install the Identity and Access Management Suite

  1. Obtain V37472-01
  2. Install into /u01/app/Oracle/Middleware, choosing the defaults except for the following:
    1. skip security updates

Create WebLogic domain

  1. Start the Identity Manager domain creation utility:
    cd /u01/app/Oracle/Middleware/Oracle_IDM1/common/bin
  2. Create a domain using the following information:
    1. Create a new WebLogic domain
    2. Select “Oracle Identity Manager”. SOA Suite and Enterprise Manager are automatically selected.
    3. Keep the default values of base_domain and the domain locations under /u01/app/Oracle/Middleware/user_projects
    4. Enter Welcome1 for the weblogic admin user password
    5. Select Development Mode, and use the JDK in /usr/jdk/jdk1.6.0_43
    6. Select all schemas and enter the following, leaving the “Schema Owner” field empty:
      DBMS/Service: orcl
      Host Name: localhost
      Port: 1521
      Schema Password: Welcome1
    7. Select Administration Server and Managed Servers for Optional Configuration
    8. Leave Admin Server settings at the default settings
    9. Add a server “oia_server1” listening on port 18201
    10. Leave Configure Cluster settings at the defaults (no clusters)
    11. Leave Configure Machines settings at the defaults (only LocalMachine)
    12. Move all servers to the LocalMachine Machine (click the right arrow to move them all)
    13. Create
    14. Done, to exit the utility

Configure the Security Store

In a terminal window, enter the following:

$ cd oracle_common/common/bin
$ ./wlst.sh /u01/app/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /u01/app/Oracle/Middleware/user_projects/domains/base_domain -m create -c IAM -p Welcome1

The second command is all on the one line. When complete, you should see:

Info:  Create operation has completed successfully.

Start AdminServer and SOA managed server

  1. Start the AdminServer. Open a terminal window and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./startWebLogic.sh
    The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>
  2. Start the SOA managed server. Open a terminal window and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./bin/startManagedWebLogic.sh soa_server1
    Enter “weblogic” and “Welcome1” at the username and password prompts. The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>

Patch SOA Server

  1. Obtain patch 16366204. Unpack the patch into a temporary location, e.g. /stage
  2. Stop the SOA managed server. Open a terminal window, and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain
    $ ./bin/stopManagedWebLogic.sh soa_server1
    Enter “weblogic” and “Welcome1” at the username and password prompts.
  3. Run the OPatch utility:
    $ cd /stage/16366204
    $ export ORACLE_HOME=/u01/app/Oracle/Middleware/Oracle_SOA1
    $ $ORACLE_HOME/OPatch/opatch apply
    Respond with “y” for “Do you want to proceed” and “Is the local system ready”
  4. Start the SOA managed server. In the original window where you started the SOA managed server, enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./bin/startManagedWebLogic.sh soa_server1
    Enter “weblogic” and “Welcome1” at the username and password prompts. The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>

Configure Oracle Identity Manager

  1. Start the Oracle Identity Manager configuration utility. In a terminal window, enter:
    $ cd /u01/app/Oracle/Middleware/Oracle_IDM1/bin
    $ ./config.sh
  2. Configure OIM using the following information:
    1. Select OIM Server and OIM Design Console
    2. Connect String: localhost:1521:orcl
      OIM Schema User Name: DEV_OIM
      OIM Schema Password: Welcome1
      MDS Schema User Name: DEV_MDS
      MDS Schema Password: Welcome1
    3. WebLogic Admin Server URL : t3://localhost:7001
      UserName: weblogic
      Password: Welcome1
    4. OIM Administrator Password: Welcome1
      Confirm Password: Welcome1
      OIM HTTP URL: http://domain.com:14000
      KeyStore Password: Welcome1
      Confirm KeyStore Password: Welcome1
      Enable LDAP Sync: deselected
    5. OIM Server Hostname: domain.com
      OIM Server Port: 14000

Stop and Start AdminServer and SOA server

  1. In a terminal window, enter the following:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain
    $ ./bin/stopManagedWebLogic.sh soa_server1
    Enter “weblogic” and “Welcome1” at the username and password prompts.
    $ ./bin/stopWebLogic.sh
  2. Start the Admin Server and SOA Server using the instructions in “Start Admin Server and SOA Server”.

Start Oracle Identity Manager

  1. Open a terminal window and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./bin/startManagedWebLogic.sh oimg_server1
    Enter “weblogic” and “Welcome1” at the username and password prompts. The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>

Create WebLogic client JAR file

Open a terminal window and enter:
$ cd /u01/app/Oracle/Middleware/wlserver_10.3/server/lib
$ java –jar wljarbuilder.jar
$ cp wlfullclient.jar /u01/app/Oracle/Middleware/Oracle_IDM1/designconsole/ext

Deploy Oracle Identity Analytics

  1. Obtain patch 14831724
  2. Create the /u01/app/oia directory and unpack the patch zip file in that directory
    $ mkdir /u01/app/oia
    $ cd /u01/app/oia
    $ unzip /path/to/ p14831724_111150_Generic.zip
  3. Unpack the WAR file to a staging directory
    $ mkdir /u01/app/oia/rbacx
    $ cd /u01/app/oia/rbacx
    $ jar xvf ../rbacx.war
  4. Configure OIA as per the installation instructions:
    That is:

    1. copy over required JAR files
    2. edit log4j.properties file to set log file path)
      (also set DEBUG for iam for easier debugging later)
    3. edit and encrypt conf/jdbc.properties file
      To encrypt :
      $ java -jar ../rbacx/WEB-INF/lib/vaau-commons-crypt.jar -encryptProperty -cipherKeyProperties ./cipherKey.properties -propertyFile ./jdbc.properties -propertyName jdbc.password
    4. create schema for OIA
      $ cd /u01/app/oia/db/oracle
      $ . oraenv
      ORACLE_SID = [oracle] ? orcl
      The Oracle base has been set to /u01/app/oracle
      $ sqlplus sys/Welcome1 as sysdba
      SQL> create user rbacxservice identified by Welcome1;
      SQL> @rbacx-
      SQL> @migrate-rbacx-
      SQL> @migrate-rbacx-
      SQL> quit
  5. Edit the /u01/app/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh script to add two lines at the start :
    export RBACX_HOME
    This is required so that OIA can locate its “home” directory for configuration etc.
  6. Create a file /u01/app/oia/rbacx/WEB-INF/weblogic.xml with the contents:
    <?xml version=”1.0″ encoding=”UTF-8″?>
    <weblogic-web-app xmlns=http://www.bea.com/ns/weblogic/90
    This file tells WebLogic to prefer the Java packages in the WEB-INF directory of the OIA application, preventing class version errors.
  7. Start the OIA managed server. In a new terminal window:
    cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain
    ./bin/startManagedWebLogic.sh oia_server1
    Use weblogic and Welcome1 for the username and password.
  8. Deploy OIA.
    1. Start the WebLogic admin console by accessing http://localhost:7001/console
    2. Log in as weblogic/Welcome1
    3. Click Deployments -> Install
    4. Browse to the /u01/app/oia directory, and select the radio button for the rbacx directory entry (we are going to deploy from the directory, not the WAR file). Click Next.
    5. Install this deployment as an application. Click Next.
    6. Select oia_server1, click Next
    7. Under “Source accessibility”, select the “I will make the deployment accessible from the following location”, and click Next.
    8. Click Finish. Wait for the result, to see if the deployment was successful. If so, click Save.
  9. Once deployed, verify that you can log into OIA. The URL is http://localhost:18201/rbacx. Log in as the rbacxadmin user (default password is “password”). You will have to change the password at first log in. Change the password to “Welcome1”. You will be logged out. Log in with the new password “Welcome1” to verify that it was changed correctly.

Install Oracle Unified Directory

  1. Obtain OUD (V37478-01)
  2. Install OUD, choosing the defaults except for:
    1. Skip Software Updates
    2. OUD Base Location Home : /u01/app/Oracle/Middleware
  3. Create an instance. In a terminal window, start the OUD wizard:
    $ cd /u01/app/Oracle/Middleware/Oracle_OUD1
    $ oud-setup
    Choose the default settings. The password for the Root DN should be Welcome1
  4. Create two Organizational Units in OUD, using the following LDIF file:
    dn: ou=People,dc=example,dc=com
    ou: People
    objectclass: organizationalUnit

    dn: ou=Groups, dc=example,dc=com
    ou: Groups
    objectclass: organizationalUnit

    dn: cn=Portal Users,ou=Groups,dc=example,dc=com
    cn: Portal Users
    objectclass: groupofuniquenames

    dn: cn=Portal Admins,ou=Groups,dc=example,dc=com
    cn: Portal Admins
    objectclass: groupofuniquenames

    And the following commands:
    $ cd /u01/app/Oracle/Middleware/Oracle_OUD1/bin
    $ ./ldapmodify -p 1389 -D “cn=Directory Manager” -w Welcome1 -a -f file.ldif

Seed User Data to Oracle Identity Manager

  1. The OIM URL is http://localhost:14000/identity. Log in as xelsysadm/Welcome1. If this is the first time you are signing in, you will have to set challenge questions and answers. Set them to any value.
  2. Create the following organizations of type Department in OIM : Finance, Engineering, Sales
  3. Create a user PALLEN, first name “Paul”, last name “Allen”, password “Welcome1”, in the Sales organization, as a Full Time Employee.
  4. Using the Bulk Load Utility, seed the following users, specifying the user PALLEN as the user to copy the password from:

Install Generic LDAP Connector in Oracle Identity Manager

  1. Obtain the OID (Generic LDAP) connector – OID-
  2. Unpack the connector in the /u01/app/Oracle/Middleware/Oracle_IDM1/server/ConnectorDefaultDirectory
  3. Use the Connector Installer in OIM to install the connector. Manage Connectors > Install Connector > select OUD connector > install
  4. Create an IT Resource instance for the OUD server.
    IT Resource Name : Corporate LDAP
    IT Resource Type : LDAP
    baseContexts: “dc=example,dc=com”
    Configuration Lookup: Lookup.LDAP.OUD.Configuration
    credentials: Welcome1
    host: localhost
    port: 1389
    principal: cn=Directory Manager
    ssl: false
  5. Run the “LDAP Connector OU Lookup Reconciliation” scheduled job to pull in the organizational units from OUD.  Be sure the change the IT Resource Name field in the scheduled job to “Corporate LDAP”.
  6. Run the “LDAP Connector Group Lookup Reconciliation” scheduled job to pull in the groups from OUD.

Create Roles and Access Policies in Oracle Identity Manager

  1. Create two roles in the Identity Self Service Console:
    Portal User
    Portal Administrator
  2. Create two Access Policies in the System Administration Console
    1. Name: Portal User on Corporate LDAP
      Provision: Without Approval
      Retrofit Access Policy: <selected>
      Select Resources to be provisioned: LDAP User
      Server: Corporate LDAP
      Container DN: Corporate LDAP~People
      Set Additional Data : LDAP Group: Corporate LDAP~Portal Users
      Revoke if No Longer Applies : selected
      Roles: Portal User
    2. Name: Portal Administrator on Corporate LDAP
      Provision: Without Approval
      Retrofit Access Policy: <selected>
      Select Resources to be provisioned: LDAP User
      Server: Corporate LDAP
      Container DN: Corporate LDAP~People
      Set Additional Data : LDAP Group: Corporate LDAP~Portal Admins
      Revoke if No Longer Applies : selected
      Roles: Portal Administrator

Assign Roles to Users in Oracle Identity Manager

Using the Identity Self-Service Console, assign the Portal User role to the following users:

Trudy Auerbach                TAUERBACH       Finance                tauerbach@example.com
Nancey Jepson NJEPSON             Finance                njepson@example.com
Richelle Amorim               RAMORIM          Sales      ramorim@example.com
Magdi Dudas      MDUDAS             Engineering        mdudas@example.com
Manda Tebbe    MTEBBE               Engineering        mtebbe@example.com
Rosalia Teerdhala             RTEERDHALA      Finance                rteerdhala@example.com
Mirelle Sauve    MSAUVE              Engineering        msauve@example.com
Phillipa Becker   PBECKER              Sales      pbecker@example.com
Dorelia Bratten DBRATTEN          Finance                dbratten@example.com
Lesly Aula            LAULA   Engineering        laula@example.com
Tom Thames      TTHAMES            Sales      tthames@example.com
Geniffer Galvin GGALVIN             Engineering        ggalvin@example.com
Kenny Vesterdal              KVESTERDAL      Finance                kvesterdal@example.com
Dominica Hilder                DHILDER               Engineering        dhilder@example.com
Louisa Schirtzinger           LSCHIRTZINGER                Sales      lschirtzinger@example.com
Portia Bradshaw               PBRADSHAW     Finance                pbradshaw@example.com
Trey Spears        TSPEARS              Engineering        tspears@example.com
Jon Olsen            JOLSEN Engineering        jolsen@example.com

Approve the request-level request.

Run the Evaluate User Policies Scheduled Job

Using the Identity System Administration console, run the Evaluate User Policies scheduled job, to force the provisioning of accounts on OUD.

Verify Provisioning of Accounts in Oracle Unified Directory

In a terminal window, execute the following commands:
$ cd /u01/app/Oracle/Middleware/Oracle_OUD1/bin
$ ./ldapsearch -p 1389 -D “cn=Directory Manager” -w Welcome1 -b “dc=example,dc=com” “cn=Portal Users”

The output should be:

dn: cn=Portal Users,ou=Groups,dc=example,dc=com
uniqueMember: uid=MTEBBE,ou=People,dc=example,dc=com
uniqueMember: uid=MSAUVE,ou=People,dc=example,dc=com
uniqueMember: uid=LSCHIRTZINGER,ou=People,dc=example,dc=com
uniqueMember: uid=TSPEARS,ou=People,dc=example,dc=com
uniqueMember: uid=LAULA,ou=People,dc=example,dc=com
uniqueMember: uid=GGALVIN,ou=People,dc=example,dc=com
uniqueMember: uid=PBECKER,ou=People,dc=example,dc=com
uniqueMember: uid=MDUDAS,ou=People,dc=example,dc=com
uniqueMember: uid=TTHAMES,ou=People,dc=example,dc=com
uniqueMember: uid=KVESTERDAL,ou=People,dc=example,dc=com
uniqueMember: uid=DHILDER,ou=People,dc=example,dc=com
uniqueMember: uid=DBRATTEN,ou=People,dc=example,dc=com
uniqueMember: uid=TAUERBACH,ou=People,dc=example,dc=com
uniqueMember: uid=RTEERDHALA,ou=People,dc=example,dc=com
uniqueMember: uid=PBRADSHAW,ou=People,dc=example,dc=com
uniqueMember: uid=RAMORIM,ou=People,dc=example,dc=com
uniqueMember: uid=JOLSEN,ou=People,dc=example,dc=com
cn: Portal Users
objectClass: groupofuniquenames
objectClass: top

Optional steps

  1. Copy the boot.properties file from the Admin Server to the managed server instances, so that a password is not required when starting/stopping each managed server
    $ cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain/servers
    $ mkdir oia_server1/security
    $ mkdir oim_server1/security
    $ mkdir soa_server1/security
    $ cp AdminServer/security/boot.properties oia_server1/security
    $ cp AdminServer/security/boot.properties oim_server1/security
    $ cp AdminServer/security/boot.properties soa_server1/security
  2. Create desktop shortcuts for stopping and starting the weblogic server instances.

Leave a Reply

Your email address will not be published. Required fields are marked *