Integrating Components 18-9

18.1.5 Integrating Oracle Access Manager 11g with Oracle Identity Manager 11g

This section describes how to integrate Oracle Access Manager 11g with Oracle Identity Manager

18.1.5.1 Remove Security Providers

If you have previously performed the tasks in Section 19, Configuring Single Sign-on for Administration Consoles, you must delete the security providers you created in that section. To do this: 1. Log in to the WebLogic Administration Console at: http:admin.mycompany.comconsole

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

Select the following providers: ■ OVDAuthenticator ■ OIDAuthenticator ■ OAMIDAssertor 6. Click Delete. 7. Click Yes to confirm deletion. 8. Restart the administration server and all managed servers, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components.

18.1.5.2 Integrating Oracle Access Manager with Oracle Identity Manager by Using idmConfigTool

To integrate Oracle Access Manager 11g with Oracle Identity Manager perform the following steps on IDMHOST1: 1. Set the Environment Variables: MW_HOME, JAVA_HOME, IDM_HOME, and ORACLE_ HOME , for example: export IDM_HOME=IDM_ORACLE_HOME export ORACLE_HOME=IAM_ORACLE_HOME 2. Create a properties file for the integration called oimitg.props, with the following contents: LOGINURI: {app.context}adfAuthentication LOGOUTURI: oamssologout.html AUTOLOGINURI: None ACCESS_SERVER_HOST: OAMHOST1.mycompany.com ACCESS_SERVER_PORT: 5575 ACCESS_GATE_ID: Webgate_IDM See Also: Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command. 18-10 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management COOKIE_DOMAIN: .mycompany.com COOKIE_EXPIRY_INTERVAL: 120 OAM_TRANSFER_MODE: simple WEBGATE_TYPE: ohsWebgate10g SSO_ENABLED_FLAG: true IDSTORE_PORT: 389 IDSTORE_HOST: idstore.mycompany.com IDSTORE_DIRECTORYTYPE: OID or OVD IDSTORE_ADMIN_USER: cn=oamLDAP,cn=Users,dc=mycompany,dc=com IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com MDS_DB_URL: jdbc:oracle:thin:DESCRIPTION=LOAD_ BALANCE=onFAILOVER=onADDRESS_ LIST=ADDRESS=protocol=tcphost=OIDDBHOST1-vip.mycomapny.comport=1521ADD RESS=protocol=tcphost=OIDDBHOST2-vip.mycompany.comport=1521CONNECT_ DATA=SERVER=DEDICATEDSERVICE_NAME=oidedg.mycompany.com MDS_DB_SCHEMA_USERNAME: edg_mds WLSHOST: adminvhn.mycompany.com WLSPORT: 7001 WLSADMIN: weblogic DOMAIN_NAME: IDMDomain OIM_MANAGED_SERVER_NAME: WLS_OIM1 DOMAIN_LOCATION: ORACLE_BASEadminIDMDomainaserverIDMDomain 3. Change location to: IAM_ORACLE_HOMEserver cd IAM_ORACLE_HOMEserver 4. Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool, which is located at: IAM_ORACLE_HOME idmtoolsbin Notes: ■ Set IDSTORE_HOST to your Oracle Internet Directory host or load balancer name if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory host or load balancer name. ■ Set IDSTORE_DIRECTORYTYPE to OVD if you are using Oracle Virtual Directory server to connect to either a non-OID directory or Oracle Internet Directory. Set it to OID if your Identity Store is in Oracle Internet Directory and you are accessing it directly rather than through Oracle Virtual Directory. ■ If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to simple. Otherwise set OAM_TRANSFER_MODE to open ■ Set IDSTORE_PORT to your Oracle Internet Directory port if you are using Oracle Internet Directory as your Identity Store. If not, set it to your Oracle Virtual Directory port. ■ If you are using a single instance database, then set MDS_URL to: jdbc:oracle:thin:DBHOST:1521:SID Integrating Components 18-11 The syntax of the command is idmConfigTool.sh -configOIM input_file=configfile on Linux and UNIX-based systems, and idmConfigTool.bat -configOIM input_file=configfile on Windows. For example: IAM_ORACLE_HOME idmtoolsbinidmConfigTool.sh -configOIM input_ file=oimitg.props When the script runs you are prompted for: ■ Access Gate Password ■ SSO Keystore Password ■ Global Passphrase ■ Idstore Admin Password ■ MDS Database schema password ■ Admin Server User Password Sample output: Enter sso access gate password: Enter mds db schema password: Enter idstore admin password: Enter admin server user password: Seeding OAM Passwds in OIM Enter ssoKeystore.jks Password: Enter SSO Global Passphrase: Completed loading user inputs for - CSF Config Updating CSF with Access Gate Password... WLS ManagedService is not up running. Fall back to use system properties for configuration. Updating CSF ssoKeystore.jks Password... Updating CSF for SSO Global Passphrase Password... Note: When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory: IAM_ORACLE_HOME idmtoolsbin 18-12 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management Activating OAM Notifications Completed loading user inputs for - MDS DB Config Initialized MDS resources Apr 11, 2011 4:57:45 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Upload to DB completed Releasing all resources Notifications activated. Seeding OAM Config in OIM Completed loading user inputs for - OAM Access Config Validated input values Initialized MDS resources Apr 11, 2011 4:57:46 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Download from DB completed Releasing all resources Updated u01apporacleproductfmwiamserveroamMetadatadboim-config.xml Initialized MDS resources Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer operation started. Apr 11, 2011 4:57:47 AM oracle.mds NOTIFICATION: transfer is completed. Total number of documents successfully processed: 1, total number of documents failed: 0. Upload to DB completed Releasing all resources OAM configuration seeded. Please restart oim server. Integrating Components 18-13 Configuring Authenticators in OIM WLS Completed loading user inputs for - Dogwood Admin WLS Completed loading user inputs for - LDAP connection info Connecting to t3:adminvhn.mycompany.com:7001 Connection to domain runtime mbean server established Starting edit session Edit session started Connected to security realm. Validating provider configuration Validated desired authentication providers Validated authentication provider state successfuly. Created OAMIDAsserter successfuly Created OIDAuthenticator successfuly Created OIMSignatureAuthenticator successfuly Setting attributes for OID Authenticator All attributes set. Configured in OID Authenticator now lDAP details configured in OID authenticator Control flags for authenticators set sucessfully Reordering of authenticators done sucessfully Saving the transaction Transaction saved Activating the changes Changes Activated. Edit session ended. Connection closed sucessfully 18-14 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 5. Check the log file for errors and correct them if necessary. 6. Restart WLS_OIM1, WLS_OIM2, and the WebLogic Administration Server, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components.

18.1.6 Updating Oracle Virtual Directory Authenticator

When configOIM has finished, it will have created an Oracle Virtual Directory authenticator if you are using Oracle Virtual Directory. This authenticator must be updated, as follows.

1. Log in to WebLogic console at http:admin.mycompany.comconsole

2. Click Security Realms from the domain structure.

3. Click My Realm.

4. Click the Providers tab.

5. Click the OVDAuthenticator provider.

6. Click Lock and Edit.

7. Click Provider Specific tab.

8. Change the following values:

■ All Users Filter : uid=objectclass=person ■ User From Name Filter : uid=uobjectclass=person

9. Click Save.

10. Click Activate Changes.

11. Restart the Administration Servers WLS_OAM1, WLS_OAM2, WLS_OIM1, and WLS_

OIM2, and any other managed servers that are running. Notes: ■ If you have already enabled single sign-on for your WebLogic Administration Consoles as described in Section 19.1, Configuring Single Sign-On for Administration Consoles with Oracle Access Manager 11g when this script is run, you might see the following errors when this script is run: ERROR: Desired authenticators already present. [Ljava.lang.String;7fdb492] ERROR: Error occurred while configuration. Authentication providers to be configured already present. ERROR: Rolling back the operation.. These errors can be ignored. ■ Note: You might see errors in the log file that look like this: ALL: Error seeding SSOGlobalPP credential This is a bug and the workaround is described in the next section.