OIM 11g R2 – Properties Used in IdMConfigtool properties Files

Parameter Example Value Description
ACCESS_GATE_ID IdentityManagerAccessGate The Access Manager access gate ID with which Oracle Identity Manager needs to communicate.
ACCESS_SERVER_HOST mynode.us.example.com Access Manager Access Server host name
ACCESS_SERVER_PORT 5575 Access Manager NAP port.
APNS_FILE /scratch/silent_omsm/keystores/APNS.p12 Apple Push Notification Service (APNS) keystore file; used to establish secure connection to Apple server to send notifications.
APNS_KEYSTORE_PASSWD APNS keystore password.
APPLE_CACERT_FILE /scratch/omss/keystores/applerootca.crt File location of Apple root CA. Required during iOS device enrollment in Oracle Mobile Security Suite (OMSS).
AUTOLOGINURI /obrar.cgi URI required by Oracle Platform Security Services (OPSS). Default value is /obrar.cgi
COOKIE_DOMAIN .us.example.com Web domain on which the Oracle Identity Manager application resides. Specify the domain in the format .cc.example.com.
COOKIE_EXPIRY_INTERVAL -1 Cookie expiration period. Set to -1 to denote that the cookie expires when the session is closed.
DB_PASSWD Database password, used in conjunction with JDCB_URL.
DOMAIN_LOCATION ORACLE_BASE
/admin/IDMDomain/aserver/IDMDomain
The location of the Oracle Identity Manager domain (and OMSM, if applicable).
DOMAIN_NAME IDM_Domain The Oracle Identity Manager domain name.
EMAIL_ADMIN_USER admin@example.com E-mail admin user; must be an e-mail address.
EMAIL_ADMIN_PASSWD Email admin user’s password
EXCHANGE_DOMAIN_NAME example.com Domain name of the exchange server.
EXCHANGE_SERVER_URL http://testuri.com URL of the exchange server.
EXCHANGE_LISTENER_URL http://testuri.com URL of the exchange listener.
EXCHANGE_SERVER_VERSION 2.0 The version of the exchange server.
EXCHANGE_ADMIN_USER serviceuser Admin user of the exchange server.
EXCHANGE_ADMIN_PASSWD Password of the exchange server’s admin user.
GCM_API_KEY AIzaSyCh_JALj5Y GCM notification API key.
GCM_SENDER_ID 6.10046E+11 GCM notification sender ID.
IDSTORE_ADMIN_PORT 4444 The admin port for an Oracle Unified Directory (OUD) identity store.

idmConfigTool needs to connect on the OUD admin port for all operations changing OUD configuration structures:

  • creation of global ACIs

  • creation of indexes

IDSTORE_HOST idstore.example.com Host name of the LDAP identity store directory (corresponding to the IDSTORE_DIRECTORYTYPE).

If your identity store is in Oracle Unified Directory or Oracle Unified Directory, then IDSTORE_HOST points directly to the Oracle Internet Directory or Oracle Unified Directory host. If the Identity Store is fronted by Oracle Virtual Directory, then IDSTORE_HOST points to the Oracle Virtual Directory host, which is IDSTORE.example.com.

IDSTORE_PORT 1389 Port number of the LDAP identity store (corresponding to the IDSTORE_DIRECTORYTYPE).
IDSTORE_BINDDN cn=orcladmin Administrative user in the identity store directory.
IDSTORE_USERNAMEATTRIBUTE cn Username attribute used to set and search for users in the identity store.

Set to part of the user DN. For example, if the user DN is cn=orcladmin,cn=Users,dc=us,dc=example,dc=com, this property is set to cn.

IDSTORE_LOGINATTRIBUTE uid or email Login attribute of the identity store which contains the user’s login name. This is the attribute the user uses for login.
IDSTORE_USERSEARCHBASE cn=Users,dc=us,dc=example,dc=com Location in the directory where users are stored. This property tells the directory where to search for users.
IDSTORE_SEARCHBASE dc=us,dc=example,dc=com Search base for users and groups contained in the identity store.

Parent location that contains the USERSEARCHBASE and the GROUPSEARCHBASE.

For example:

IDSTORE_SEARCHBASE: cn=oracleAccounts, dc=example,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,cn=oracleAccounts,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,cn=oracleAccounts,dc=example,dc=com
IDSTORE_GROUPSEARCHBASE cn=Groups,dc=us,dc=example,dc=com The location in the directory where groups (or roles) are stored. This property tells the directory where to search for groups or roles.
IDSTORE_OAMSOFTWAREUSER oamLDAP The username used to establish the Access Manager identity store connection. This user is created by the idmconfigtool.
IDSTORE_OAMADMINUSER oamadmin The identity store administrator you want to create for Access Manager. Required only if the identity store is set as the system identity store. The administrator is created by the idmconfigtool.
IDSTORE_OAAMADMINUSER oaamadmin The identity store administrator for Oracle Adaptive Access Manager.
IDSTORE_PROFILENAME idsprofile Name of the identity store profile.
IDSTORE_SYSTEMIDBASE cn=system, dc=test Location of a container in the directory where system operations users are stored so that they are kept separate from enterprise users stored in the main user container. There are only a few system operations users. One example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_READONLYUSER User with read-only permissions to the identity store.
IDSTORE_READWRITEUSER User with read-write permissions to the identity store.
IDSTORE_SUPERUSER The Oracle Fusion Applications superuser in the identity store.
IDSTORE_XELSYSADMINUSER The administrator of the xelsysadm system account.
IDSTORE_OIMADMINUSER The identity store administrator for Oracle Identity Manager. User that Oracle Identity Manager uses to connect to the identity store
IDSTORE_OIMADMINGROUP The Oracle Identity Manager administrator group you want to create to hold your Oracle Identity Manager administrative users.
IDSTORE_SSL_ENABLED Whether SSL to the identity store is enabled.

Valid values: true | false

IDSTORE_KEYSTORE_FILE OUD_ORACLE_INSTANCE
/OUD/config/admin-keystore
Location of the keystore file containing identity store credentials.

Applies to and required for Oracle Unified Directory identity stores.

IDSTORE_KEYSTORE_PASSWORD 4VYGtJLG61V5OjDWKe94e601x7tgLFs Password of the identity store directory administrator. Not plain-text.

Applies to and required for Oracle Unified Directory identity stores.

This value can be found in the file OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin.

IDSTORE_NEW_SETUP Used for identity store validation.

Used in Oracle Fusion Applications environment.

IDSTORE_DIRECTORYTYPE OVD Directory type of the identity store for which the authenticator must be created.

Set to OVD if you are using Oracle Virtual Directory server to connect to either a non-OID directory, Oracle Internet Directory or Oracle Unified Directory.

Set it to OID if your identity store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory.

Set to OUD if your identity store is Oracle Unified Directory and you are accessing it directly rather than through Oracle Virtual Directory.

Valid values: OID, OVD, OUD, AD

IDSTORE_ADMIN_USER cn=systemids,dc=example,dc=com The administrator of the identity store directory. Provide the complete LDAP DN of the same user specified for IDSTORE_OAMSOFTWAREUSER. The username alone is not sufficient.
IDSTORE_WLSADMINUSER weblogic_idm The identity store administrator for Oracle WebLogic Server; usually weblogic_idm.
IDSTORE_WLSADMINUSER_PWD The password of the identity store administrator for Oracle WebLogic Server.
IDSTORE_WLSADMINGROUP WLS Administrators The identity store administrator group for Oracle WebLogic Server.
IDSTORE_WASADMINUSER The “wasadmin” user (IBM WebSphere).
JDBC_URL jdbc:oracle:thin:@example.com:5521:msmdb JDBC URL used to seed APNS/GCM data.
LDAPn_HOST . The host name of the LDAP server
LDAPn_PORT The LDAP server port number.
LDAPn_BINDDN . The bind DN for the LDAP server
LDAPn_SSL Indicates whether the connection to the LDAP server is over SSL.

Valid values are True or False

LDAPn_BASE The base DN of the LDAP server.
LDAPn_OVD_BASE The OVD base DN of the LDAP server.
LDAPn_TYPE The directory type for the LDAP server. n is 1, 2, and so on. For a single-node configuration specify LDAP1.
LOGINURI /${app.context}/adfAuthentication URI required by OPSS. Default value is /${app.context}/adfAuthentication
LOGOUTURI /oamsso/logout.html URI required by OPSS. Default value is /oamsso/logout.html
MDS_DB_URL jdbc:oracle:thin:@DBHOST:1521:SID URL of the MDS database.

It represents a single instance database. The string following the ‘@‘ symbol must have the correct values for your environment. SID must be the actual SID, not a service name. If you are using a single instance database, then set MDS_URL to: jdbc:oracle:thin:@DBHOST:1521:SID.

MDS_DB_SCHEMA_USERNAME edg_mds Username of the MDS schema user. MDS schema which Oracle Identity Manager is using.
MSM_SCHEMA_USER DEV87_OMSM Mobile Security Manager (MSM) database schema username.
MSM_SERVER_KEY_LENGTH 2048 Key length for the self-signed CA and generated keys for the MSM server. Defaults to 2048.
MSM_SERVER_NAME omsm_server1 Name of the MSM server. Provide this only if the MSM server is renamed to a different value during domain configuration.
MSAS_SERVER_HOST server1.example.com MSAS server host name.
MSAS_SERVER_PORT 11001 MSAS server’s SSL port.
OAM_SERVER_VERSION 10g Set to 10g if using Oracle Access Manager 10g, or 11g if using Access Manager 11g.

Required when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, provide the value as ’10g’.

Valid values are 10g, 11g.

OAM_TRANSFER_MODE SIMPLE The transfer mode for the Access Manager agent being configured. If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE.

Valid values are OPEN, SIMPLE or CERT.

OAM11G_OAM_SERVER_TRANSFER_MODE OPEN The security model in which the Access Manager 11g server functions.

Valid values: OPEN or SIMPLE.

OAM11G_SSO_ONLY_FLAG false Configures Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is true (OAM performs no authorization).

If set totrue, the Access Manager 11g server operates in authentication only mode, where all authorizations return true by default without any policy validations. In this mode, the server does not have the overhead of authorization handling. This is recommended for applications which do not depend on authorization policies and need only the authentication feature of the Access Manager server.

If the value is false, the server runs in default mode, where each authentication is followed by one or more authorization requests to the OAM Server. WebGate allows the access to the requested resources or not, based on the responses from the OAM server.

OAM11G_IDSTORE_ROLE_SECURITY_ADMIN OAMAdministrators Name of the group that is used to allow access to the Oracle Access Management Administration Console to administer role security in identity store.
OAM11G_OIM_INTEGRATION_REQ false Specifies whether to integrate with Oracle Identity Manager or configure Access Manager in stand-alone mode. Set to true for integration.

Valid values: true (integration) | false

OAM11G_SERVER_LBR_HOST sso.example.com Host name of the load balancer to the Oracle HTTP (OHS) server front-ending the Access Manager server. This and the following two parameters are used to construct your login URL.
OAM11G_SERVER_LBR_PORT 443 Port number of the load balancer to the OHS server front-ending the Access Manager server.
OAM11G_SERVER_LBR_PROTOCOL https Protocol of the load balancer to the OHS server front-ending the Access Manager server.

Valid values: HTTP, HTTPS

OAM11G_SERVER_LOGIN_ATTRIBUTE uid At a login attempt, the username is validated against this attribute in the identity store. Setting to uid ensures that when users log in their username is validated against the uid attribute in LDAP.
OAM11G_SERVER_GLOBAL_SESSION_TIMEOUT The global session timeout for sessions in the Access Manager server.
OAM11G_SERVER_GLOBAL_SESSION_EXPIRY_TIME Global session expiry time for a session in the Access Manager server.
OAM11G_SERVER_GLOBAL_MAX_SESSION_PER_USER Global maximum sessions per user in the Access Manager server.
OAM11G_IDSTORE_NAME The identity store name. If you already have an identity Store in place which you wish to reuse (rather than allowing the tool to create a new one for you), set this parameter to the name of the Identity Store.

The default value is “OAMIDStore”.

OAM11G_IMPERSONATION_FLAG Enable or disable impersonation in Access Manager server.

Applicable to Oracle Fusion Applications environment.

Valid values: true (enable) | false

The default is false. If you are using impersonalization, you must manually set this value to true.

OAM11G_IDM_DOMAIN_OHS_HOST sso.example.com Host name of the load balancer which is in front of OHS in a high-availability configuration.
OAM11G_IDM_DOMAIN_OHS_PORT 443 Port number on which the load balancer specified as OAM11G_IDM_DOMAIN_OHS_HOST listens.
OAM11G_IDM_DOMAIN_OHS_PROTOCOL https Protocol for IDM OHS. Protocol to use when directing requests to the load balancer.

Valid values: HTTP | HTTPS

OAM11G_OIM_OHS_URL https://sso.example.com:443/test URL of the load balancer or OHS fronting the OIM server.
OAM11G_WG_DENY_ON_NOT_PROTECTED true Deny on protected flag for 10g webgate

Valid values: true | false

OAM11G_OAM_SERVER_TRANSFER_MODE simple Transfer mode for the IDM domain agent.

Valid values: OPEN | SIMPLE | CERT

OAM11G_IDM_DOMAIN_LOGOUT_URLS /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp Comma-separated list of Access Manager logout URLs.
OAM11G_WLS_ADMIN_HOST myhost.example.com On WebLogic Server: Host name of the Access Manager domain admin server.

On IBM WebSphere: The Access Manager application server host.

OAM11G_WLS_ADMIN_PORT 7001 On WebLogic Server: Port on which the Access Manager domain admin server is running.

On IBM WebSphere: Deployment Manager bootstrap port for Access Manager cell.

OAM11G_WLS_ADMIN_USER wlsadmin, wasadmin On WebLogic Server: The username of the Access Manager domain administrator.

On IBM WebSphere: Primary administrative user name for Access Manager cell.

OAM_ADMIN_WAS_DEFAULT_PORT 1443 On IBM WebSphere, OAM node’s OracleAdminServer default port number
OAM_POLICY_MGR_SERVER_NAME oam_policy_mgr1 Name of the Access Manager policy manager server. Provide this only if the policy manager server is renamed to a different value during domain configuration.
OIM_DB_URL The URL needed to connect to the Oracle Identity Manager database.
OIM_DB_SCHEMA_USERNAME The schema user for the Oracle Identity Manager database.
OIM_FRONT_END_HOST host123.example.com The host name of the LBR server front-ending Oracle Identity Manager.
OIM_FRONT_END_PORT 7011 The port number of the LBR server front-ending Oracle Identity Manager.
OIM_MANAGED_SERVER_NAME WLS_OIM1 The name of the Oracle Identity Manager managed server. If clustered, any of the managed servers can be specified.
OIM_MANAGED_SERVER_HOST The host name of the Oracle Identity Manager managed server.
OIM_MANAGED_SERVER_PORT The port number of the Oracle Identity Manager managed server.
OIM_MSM_REST_SERVER_URL https://msm.example.com:1234/ The URL of the Oracle Mobile Security Manager server. Required only if MSM URL needs to be seeded in Oracle Identity Manager and the system property OMSS Enabled set. OIM_MSM_REST_SERVER_URL enables the Mobile Security Manager task flows in the Oracle Identity Manager console. If not set, configOIM will continue the configuration without configuring the Mobile Security Manager. The prerequisite for OMSS Enabled is that the Oracle Identity Manager server should be up.
OIM_T3_HOST The host name for the Oracle Identity Manager T3 server.
OIM_T3_PORT The port number of the Oracle Identity Manager T3 server.
OIM_WAS_CELL_CONFIG_DIR The location of the fmwconfig directory within the Oracle Identity Manager cell on IBM WebSphere.
OMSS_KEYSTORE_PASSWORD Password used to generate OMSM keystores and keys
OMSM_IDSTORE_ROLE_SECURITY_ADMIN MSMAdmin Name of the admin group whose members have admin privileges for OMSM operations.

Default is “IDM Administrators”.

OMSM_IDSTORE_ROLE_SECURITY_HELPDESK MSMHelpDeskUsers Name of the msm helpdesk group, whose members get helpdesk privileges for OMSM operations.

Default is “MSMHelpdeskUsers”.

ovd.host OVD Server host name
ovd.port OVD Server port number
ovd.binddn OVD Server bind DN
ovd.ssl Indicates whether the connection is over SSL.

Valid values are True or False

ovd.oamenabled Indicates whether Oracle Access Manager is enabled.

Valid values are True or False

POLICYSTORE_SHARES_IDSTORE true Denotes whether the policy store and identity store share the directory. Always true in Release 11g.

Valid values: true, false

POLICYSTORE_HOST mynode.us.example.com The host name of your policy store directory.
POLICYSTORE_PORT 1234 The port number of your policy store directory.
POLICYSTORE_BINDDN cn=orcladmin Administrative user in the policy store directory.
POLICYSTORE_SEARCHBASE dc=example,dc=com The location in the directory where users and groups are stored.
POLICYSTORE_SYSTEMIDBASE cn=systemids, dc=example,dc=com The read-only and read-write users for policy store are created in this location.

Default value is cn=systemids, policy_store_search_base

POLICYSTORE_READONLYUSER PolStoreROUser A user with read privileges in the policy store.
POLICYSTORE_READWRITEUSER PolStoreRWUser A user with read and write privileges in the policy store.
POLICYSTORE_CONTAINER cn=jpsroot The name of the container used for OPSS policy information
POLICYSTORE_SSL_ENABLED Whether the policy store is SSL-enabled.
POLICYSTORE_KEYSTORE_FILE The location of the keystore file for an SSL-enabled policy store.
PROXY_SERVER_HOST www-proxy.example.com Proxy server’s host name.
PROXY_SERVER_PORT 80 Proxy server’s port.
PROXY_USER proxyuserA User for proxy.
PROXY_PASSWD Password for proxy user.
SCEP_DYNAMIC_CHALLENGE_USER OMSM uses a Simple Certificate Enrollment Protocol (SCEP) dynamic challenge for external SCEP authentication during the enrollment phase. This user account is used for authentication.
SCEP_DYNAMIC_CHALLENGE_PASSWD SCEP dynamic challenge user’s password
SPLIT_DOMAIN true Flag to force configOAM to create security providers in the domain against which it is run.

Valid values are true, false.

Setting to true is required to suppress the double authentication of Oracle Access Management administration console in a split domain scenario.

SSO_ENABLED_FLAG false Flag to determine if SSO should be enabled.

Valid values are true, false.

WEBGATE_TYPE javaWebgate The type of WebGate agent you want to create. Set to:

  • ohsWebgate10g if using Webgate version 10

  • ohsWebgate11g if using Webgate version 11

PRIMARY_OAM_SERVERS idmhost1.example.com:5575,idmhost2.example.com:5575 A comma-separated list of your Access Manager servers and their proxy ports.

To determine the proxy ports your Access Manager servers:

  1. Log in to the Oracle Access Management administration console at http://admin.example.com:7001/oamconsole
  2. At the top of the Oracle Access Management Console, click Configuration.
  3. In the Configuration console, click Server Instances.
  4. In the page that appears, click Search, then double-click the target instance to display its configuration. For example, WLS_OAM1.The proxy port is shown as Port.
SMTP_HOST exchangeurl.us.example.com E-mail host.
SMTP_PORT 80 E-mail port.
TOPIC com.apple.mgmt.External.2544264e-aa8a-4654-bfff-9d897ed39a87 Topic used in Apple’s APNS certificate; used to send APNS notification.

The value should match the UID of the APNS key.

USE_PROXY true Indicates whether to use a proxy. Valid values are true, false.
WLSHOST node01.example.com WebLogic Server host name (host name of your administration server).
WLSPORT 7001 The WebLogic Server port number
WLSADMIN wlsadmin The administrator login, depending on the application server context.
WLSPASSWD The WebLogic Server administrator password.

Leave a Reply

Your email address will not be published. Required fields are marked *