Extending the Domain with Oracle Identity Manager 14-23

5. Click Default Policy for Username Generation.

6. In the Value field, update the entry from

oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy to oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePo licyForAD.

7. Click Save.

14.15 Update Oracle Identity Manager JMS Queues

Update Oracle Identity Manager JMS queues as follows: 1. Log in to the WebLogic console as the administrative user.

2. Select Services - Messaging - JMS Modules from the Domain Structure menu.

3. Click OIMJMSModule.

4. Click Lock Edit.

5. For each of the queues, click the queue then click the Delivery Failure tab and

change Redelivery Limit value from -1 to 1, then click Save. 6. Make sure you have performed Steps 4 and 5 for all the queues under OIMJMSModule .

7. Click Activate Changes.

8. Restart Oracle Identity Manager servers as described in Section 20.1, Starting and Stopping Oracle Identity Management Components.

14.16 Tuning Oracle Platform Security

For information about tuning OPSS, see the Oracle Fusion Middleware Security Performance Tuning chapter in the Oracle Fusion Middleware Performance and Tuning Guide.

14.17 Provisioning Users to the Enterprise Identity Store in a Multidirectory Scenario

This section provides details for configuring Oracle Identity Manager to provision users in the enterprise identity store. It contains the following topics: ■ Section 14.17.1, Creating and Importing New Rules. ■ Section 14.17.2, Updating IT Resource for Oracle Identity Manager Integration. ■ Section 14.17.3, Updating the Incremental Reconciliation Changelog Number. By default, the users are provisioned in the Enterprise Identity Store. You can also configure the users to be created in the shadow directory by configuring the Oracle Identity Manager rules appropriately.

14.17.1 Creating and Importing New Rules

1. Create LDAPContainerRules.xml with the new rules that you want to import into LDAP. This file contains the rules for user creation and role creation and corresponding containers in LDAP where they should be created. For the current split profile environment, the rules are: 14-24 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management ?xml version=1.0 encoding=UTF-8? container-rules user rule expressionCountry=INexpression containercn=Users,dc=idm,dc=sun,dc=comcontainer rule rule expressionDefaultexpression containercn=Users,dc=mycompany,dc=comcontainer descriptionUserContainerdescription rule user role rule expressionDefaultexpression containercn=Groups,dc=mycompany,dc=comcontainer descriptionRoleContainerdescription rule role container-rules 2. Import this configuration to MDS. Modify the weblogic.properties file under OIM_ORACLE_HOMEbin as follows. wls_servername=OIM server name For example, WLS_OIM1. application_name=OIMMetadata metadata_from_loc = u01tmp metadata_files=dbLDAPContainerRules.xml 3. Set the OIM_ORACLE_HOME environment variable to the appropriate directory. 4. Run the following command to import the configuration file into MDS. The file weblogicImportMetadata.sh is located under OIM_ORACLE_HOMEbin sh .weblogicImportMetadata.sh Please enter your username [weblogic] :weblogic Please enter your password [weblogic] :Weblogic user password Please enter your server URL [t3:localhost:7001 :t3:ADMINVHN.mycompany.com:7001 5. To activate the new rules, restart the Oracle Identity Manager Servers wls_oim1 and wls_oim2 as described in Section 20.1, Starting and Stopping Oracle Identity Management Components.

14.17.2 Updating IT Resource for Oracle Identity Manager Integration

Using the Oracle Identity Manager advanced console, update the directory server IT resource with Oracle Virtual Directory information. The steps are as follows: Note: This is only used to load the data, so it is only necessary to specify one Oracle Identity Manager server. Extending the Domain with Oracle Identity Manager 14-25 1. Log in to the OIM Console at: https:sso.mycompany.com:443oim

2. Click Advanced to go to the advanced console.

3. On the advanced console page, in the Configuration section, click the link for Manage IT Resource . The Manage IT Resource window appears.

4. In the Manage IT Resource window, under IT Resource Type, choose Directory

Server , then click Search. 5. In the resulting list of resources in the IT Resource Name section, choose the Directory Server link for that instances information. The View IT Resource window appears.

6. Click Edit in the View IT Resource window and enter your LDAP server

information. ■ Admin Login: Bind dn to connect to the Oracle Virtual Directory server ■ Admin Password: Bind password to connect to the Oracle Virtual Directory server ■ Search Base: LDAP Container DefaultnamingContext for all users and groups ■ Server URL: Oracle Virtual Directory host and port, ldap:idmhost1.mycompany.com:389 ■ Server SSL URL: ldaps:idmhost1.mycompany.com:636 ■ User Reservation Container: Container used for reserving user id, for example: l=reserve,dc=mycompany,dc=com

7. Click Update and close the window.

14.17.3 Updating the Incremental Reconciliation Changelog Number

Whenever the environment is initially set up as a non-split profile and then converted to a split profile, some incremental jobs were run before the conversion. As a result, the last changelog number field is not in a format that the split profile environment can decipher. This results in all subsequent incremental jobs failing with the error message: Failed:oracle.iam.scheduler.exception.RequiredParameterNotSetException: The value is not supported. To resolve the error, you must update the last changelog number needs to 0, as follows: 1. Log in to the OIM Console at: https:sso.mycompany.com:443oim

2. Click Advanced on the top right pane.

3. Click Search Scheduled Jobs.

4. On the navigation bar in the left pane, perform a search on LDAP.

5. Click LDAP User Create and Update Reconciliation Job.

6. Click Search Scheduled Jobs.

7. On the navigation bar in the left pane, perform a search on LDAP.

8. Click LDAP User Create and Update Reconciliation Job.

14-26 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 9. Update the entry to 0.

10. Click Apply.

11. Click Run Now.

Repeat Steps 1-11 for all the incremental reconciliation jobs: ■ LDAP Role Create and Update Reconciliation ■ LDAP Role Membership Reconciliation ■ LDAP Role Hierarchy Reconciliation ■ LDAP User Delete Reconciliation ■ LDAP Role Delete Reconciliation

14.18 Backing Up the Application Tier Configuration

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrators Guide. For information on database backups, refer to the Oracle Database Backup and Recovery Users Guide. To back up the installation to this point, follow these steps: 1. Back up the web tier as described in Section 5.5, Backing up the Web Tier Configuration. 2. Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. 3. Back up the Administration Server domain directory as described in Section 6.15, Backing Up the WebLogic Domain. 4. Back up the Oracle Internet Directory as described in Section 7.7, Backing up the Oracle Internet Directory Configuration. 5. Back up the Oracle Virtual Directory as described in Section 9.10, Backing Up the Oracle Virtual Directory Configuration. For information about backing up the application tier configuration, see Section 20.4, Performing Backups and Recoveries. 15 Extending the Domain with Oracle Identity Federation 15-1 15 Extending the Domain with Oracle Identity Federation Oracle Identity Federation is a self-contained, standalone federation server that enables single sign-on and authentication in a multiple-domain identity network and supports the broadest set of federation standards. This enables users to federate in heterogeneous environments and business associations, whether they have implemented other Oracle Identity Management products in their solution set or not. It can be deployed as a multi-protocol hub acting as both an Identity Provider IdP and Service Provider SP. Acting as an SP, Oracle Identity Federation enables you to manage your resources while off loading actual authentication of users to an IdP, without having to synchronize users across security domains out of band. Once authenticated at the IdP, the SP can allow or deny access to users for the SPs applications depending upon the local access policies. This chapter contains the following topics: ■ Section 15.1, Prerequisites