Extending the Domain with Oracle Identity Manager 14-23
5. Click Default Policy for Username Generation.
6. In the Value field, update the entry from
oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy to
oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePo licyForAD.
7. Click Save.
14.15 Update Oracle Identity Manager JMS Queues
Update Oracle Identity Manager JMS queues as follows:
1.
Log in to the WebLogic console as the administrative user.
2. Select Services - Messaging - JMS Modules from the Domain Structure menu.
3. Click OIMJMSModule.
4. Click Lock Edit.
5. For each of the queues, click the queue then click the Delivery Failure tab and
change Redelivery Limit value from -1 to 1, then click Save. 6.
Make sure you have performed Steps 4 and 5 for all the queues under OIMJMSModule
.
7. Click Activate Changes.
8.
Restart Oracle Identity Manager servers as described in Section 20.1, Starting and
Stopping Oracle Identity Management Components.
14.16 Tuning Oracle Platform Security
For information about tuning OPSS, see the Oracle Fusion Middleware Security Performance Tuning chapter in the Oracle Fusion Middleware Performance and Tuning
Guide.
14.17 Provisioning Users to the Enterprise Identity Store in a Multidirectory Scenario
This section provides details for configuring Oracle Identity Manager to provision users in the enterprise identity store. It contains the following topics:
■
Section 14.17.1, Creating and Importing New Rules.
■
Section 14.17.2, Updating IT Resource for Oracle Identity Manager Integration.
■
Section 14.17.3, Updating the Incremental Reconciliation Changelog Number. By default, the users are provisioned in the Enterprise Identity Store. You can also
configure the users to be created in the shadow directory by configuring the Oracle Identity Manager rules appropriately.
14.17.1 Creating and Importing New Rules
1.
Create LDAPContainerRules.xml with the new rules that you want to import into LDAP. This file contains the rules for user creation and role creation and
corresponding containers in LDAP where they should be created. For the current split profile environment, the rules are:
14-24 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
?xml version=1.0 encoding=UTF-8? container-rules
user rule
expressionCountry=INexpression containercn=Users,dc=idm,dc=sun,dc=comcontainer
rule rule
expressionDefaultexpression containercn=Users,dc=mycompany,dc=comcontainer
descriptionUserContainerdescription rule
user role
rule expressionDefaultexpression
containercn=Groups,dc=mycompany,dc=comcontainer descriptionRoleContainerdescription
rule role
container-rules
2.
Import this configuration to MDS. Modify the weblogic.properties file under OIM_ORACLE_HOMEbin as
follows. wls_servername=OIM server name
For example, WLS_OIM1.
application_name=OIMMetadata metadata_from_loc = u01tmp
metadata_files=dbLDAPContainerRules.xml
3.
Set the OIM_ORACLE_HOME environment variable to the appropriate directory.
4.
Run the following command to import the configuration file into MDS. The file weblogicImportMetadata.sh is located under OIM_ORACLE_HOMEbin
sh .weblogicImportMetadata.sh Please enter your username [weblogic] :weblogic
Please enter your password [weblogic] :Weblogic user password Please enter your server URL [t3:localhost:7001
:t3:ADMINVHN.mycompany.com:7001
5.
To activate the new rules, restart the Oracle Identity Manager Servers wls_oim1 and wls_oim2 as described in
Section 20.1, Starting and Stopping Oracle Identity Management Components.
14.17.2 Updating IT Resource for Oracle Identity Manager Integration
Using the Oracle Identity Manager advanced console, update the directory server IT resource with Oracle Virtual Directory information. The steps are as follows:
Note: This is only used to load the data, so it is only necessary to
specify one Oracle Identity Manager server.
Extending the Domain with Oracle Identity Manager 14-25
1.
Log in to the OIM Console at: https:sso.mycompany.com:443oim
2. Click Advanced to go to the advanced console.
3.
On the advanced console page, in the Configuration section, click the link for Manage IT Resource
. The Manage IT Resource window appears.
4. In the Manage IT Resource window, under IT Resource Type, choose Directory
Server
, then click Search. 5.
In the resulting list of resources in the IT Resource Name section, choose the Directory Server
link for that instances information. The View IT Resource window appears.
6. Click Edit in the View IT Resource window and enter your LDAP server
information.
■
Admin Login: Bind dn to connect to the Oracle Virtual Directory server
■
Admin Password: Bind password to connect to the Oracle Virtual Directory server
■
Search Base: LDAP Container DefaultnamingContext for all users and groups
■
Server URL: Oracle Virtual Directory host and port, ldap:idmhost1.mycompany.com:389
■
Server SSL URL: ldaps:idmhost1.mycompany.com:636
■
User Reservation Container: Container used for reserving user id, for example: l=reserve,dc=mycompany,dc=com
7. Click Update and close the window.
14.17.3 Updating the Incremental Reconciliation Changelog Number
Whenever the environment is initially set up as a non-split profile and then converted to a split profile, some incremental jobs were run before the conversion. As a result, the
last changelog number field is not in a format that the split profile environment can decipher. This results in all subsequent incremental jobs failing with the error message:
Failed:oracle.iam.scheduler.exception.RequiredParameterNotSetException: The value is not supported.
To resolve the error, you must update the last changelog number needs to 0, as follows:
1.
Log in to the OIM Console at: https:sso.mycompany.com:443oim
2. Click Advanced on the top right pane.
3. Click Search Scheduled Jobs.
4.
On the navigation bar in the left pane, perform a search on LDAP.
5. Click LDAP User Create and Update Reconciliation Job.
6. Click Search Scheduled Jobs.
7. On the navigation bar in the left pane, perform a search on LDAP.
8. Click LDAP User Create and Update Reconciliation Job.
14-26 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
9.
Update the entry to 0.
10. Click Apply.
11. Click Run Now.
Repeat Steps 1-11 for all the incremental reconciliation jobs:
■
LDAP Role Create and Update Reconciliation
■
LDAP Role Membership Reconciliation
■
LDAP Role Hierarchy Reconciliation
■
LDAP User Delete Reconciliation
■
LDAP Role Delete Reconciliation
14.18 Backing Up the Application Tier Configuration
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point.
Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later
steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is
complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrators Guide.
For information on database backups, refer to the Oracle Database Backup and Recovery Users Guide.
To back up the installation to this point, follow these steps:
1.
Back up the web tier as described in Section 5.5, Backing up the Web Tier
Configuration.
2.
Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager.
3.
Back up the Administration Server domain directory as described in Section 6.15,
Backing Up the WebLogic Domain.
4.
Back up the Oracle Internet Directory as described in Section 7.7, Backing up the
Oracle Internet Directory Configuration.
5.
Back up the Oracle Virtual Directory as described in Section 9.10, Backing Up the
Oracle Virtual Directory Configuration. For information about backing up the application tier configuration, see
Section 20.4, Performing Backups and Recoveries.
15
Extending the Domain with Oracle Identity Federation 15-1
15
Extending the Domain with Oracle Identity Federation
Oracle Identity Federation is a self-contained, standalone federation server that enables single sign-on and authentication in a multiple-domain identity network and
supports the broadest set of federation standards. This enables users to federate in heterogeneous environments and business associations, whether they have
implemented other Oracle Identity Management products in their solution set or not.
It can be deployed as a multi-protocol hub acting as both an Identity Provider IdP and Service Provider SP.
Acting as an SP, Oracle Identity Federation enables you to manage your resources while off loading actual authentication of users to an IdP, without having to
synchronize users across security domains out of band. Once authenticated at the IdP, the SP can allow or deny access to users for the SPs applications depending upon the
local access policies.
This chapter contains the following topics:
■
Section 15.1, Prerequisites