Preparing Identity and Policy Stores 10-5 Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Policy store reassociation done. Starting credential store reassociation The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Credential store reassociation done Starting Keystore reassociation The store and ServiceConfigurator setup done. Schema is seeded into the store Data is migrated to the store Data in the store after migration has been tested to be available Update of in-memory jps configuration is done Keystore reassociation done Jps Configuration has been changed. Please restart the application server. 4. Restart the WebLogic Administration Server, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components, after the command completes successfully.

10.4 Preparing the Identity Store

This section describes how to prepare the Identity Store. It contains the following topics: ■ Section 10.4.1, Extending Directory Schema for Oracle Access Manager ■ Section 10.4.2, Creating Users and Groups for Oracle Access Manager ■ Section 10.4.3, Creating Users and Groups for Oracle Adaptive Access Manager ■ Section 10.4.4, Creating Users and Groups for Oracle Identity Manager ■ Section 10.4.5, Creating Users and Groups for Oracle WebLogic Server ■ Section 10.4.6, Disable Anonymous Binds to Oracle Virtual Directory LDAP Ports ■ Section 10.4.7, Set Up Oracle Virtual Directory–Oracle Identity Manager Access Control Lists ■ Section 10.4.8, Creating Access Control Lists in Non-Oracle Internet Directory Directories ■ Section 10.4.9, Updating Oracle Virtual Directory Adapters

10.4.1 Extending Directory Schema for Oracle Access Manager

Pre-configuring the Identity Store extends the schema in Oracle Internet Directory. To do this, perform the following tasks on IDMHOST1:

1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_

HOME . Set IDM_HOME to IDM_ORACLE_HOME Note: You do not need to preconfigure the Identity Store unless you are using Oracle Access Manager or Oracle Identity Manager. 10-6 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management Set ORACLE_HOME to IAM_ORACLE_HOME 2. Create a properties file, called extend.props with the following contents: IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com Where: ■ IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your Identity Store directory. If you are using a non-OID directory, then specify the Oracle Virtual Directory host which should be IDSTORE.mycompany.com. If your Identity Store is in Oracle Internet Directory, then IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory. ■ IDSTORE_BINDDN Is an administrative user in the Identity Store Directory ■ IDSTORE_USERSEARCHBASE is the location in the directory where Users are Stored. ■ IDSTORE_GROUPSEARCHBASE is the location in the directory where Groups are Stored. ■ IDSTORE_SEARCHBASE is the location in the directory where Users and Groups are stored. ■ IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. ■ IDSTORE_USERNAMEATTRIBUTE is the LDAP attribute which contains the username this is usually CN ■ IDSTORE_LOGINATTRIBUTE is the LDAP attribute which contains the users Login name. 3. Configure the Identity Store by using the command idmConfigTool, which is located at: IAM_ORACLE_HOME idmtoolsbin The syntax of the command on Linux is: Note: When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory: IAM_ORACLE_HOME idmtoolsbin Preparing Identity and Policy Stores 10-7 idmConfigTool.sh -preConfigIDStore input_file=configfile The syntax on Windows is: idmConfigTool.bat -preConfigIDStore input_file=configfile For example: idmConfigTool.sh -preConfigIDStore input_file=extend.props When the command runs, you are prompted to enter the password of the account you are connecting to the Identity Store with. Sample command output, when running the command against Oracle Virtual Directory: Enter ID Store Bind DN password: May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamidmtoolstemplatesoididm_ idstore_groups_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamidmtoolstemplatesoididm_ idstore_groups_acl_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamidmtoolstemplatesoidsystemid_pwdpolicy.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamidmtoolstemplatesoididstore_tuning.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamidmtoolstemplatesoidoid_ schema_extn.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamoamserveroim-intgschemaOID_oblix_pwd_ schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamoamserveroim-intgschemaOID_oim_pwd_schema_ add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamoamserveroim-intgschemaOID_oblix_schema_ add.ldif May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: - LOADING: u01apporacleproductfmwiamoamserveroim-intgschemaOID_oblix_schema_ index_add.ldif The tool has completed its operation. Details have been logged to automation.log 4. Check the log file for any errors or warnings and correct them. The file with the name automation.log is created in the directory from where you run the tool. Note: In addition to creating users, idmConfigTool creates the groups OrclPolicyAndCredentialWritePrivilegeGroup and OrclPolicyAndCredentialReadPrivilegeGroup. 10-8 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management

10.4.2 Creating Users and Groups for Oracle Access Manager