This chapter describes how to install and configure Oracle Access Manager 11.1.1 for use in the Oracle Identity Management enterprise deployment.
This chapter includes the following topics:
Section 11.1, "Introduction to Installing Oracle Access Manager"
Section 11.3, "Configuring Oracle Access Manager on IDMHOST1"
Section 11.5, "Configuring Oracle Access Manager to work with the Oracle Web Tier"
Section 11.7, "Configuring Oracle Access Manager to use an External LDAP store"
Section 11.10, "Backing Up the Application Tier Configuration"
Oracle Access Manager allows your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.
Oracle Access Manager consists of various components including Access Server, Identity Server, WebPass, Policy Manager, WebGates, AccessGates, and Access SDK. The Access Server and Identity Server are the server components necessary to serve user requests for access to enterprise resources. Policy Manager and WebPass are the administrative consoles to the Access Server and Identity Server respectively. WebGates are web server agents that act as the actual enforcement points for Oracle Access Manager while AccessGates are the application server agents. Finally, the Access SDK is a toolkit provided for users to create their own WebGate or AccessGate should the out-of-the-box solutions be insufficient. Follow the instructions in this chapter and Chapter 20, "Configuring Single Sign-on for Administration Consoles" to install and configure the Oracle Access Manager components necessary for your enterprise deployment.
This section contains the following topics:
The enterprise deployment described in this guide shows Oracle Access Manager using Oracle Internet Directory as the only LDAP repository. Oracle Access Manager uses a single LDAP for policy and configuration data. It is possible to configure another LDAP as the identity store where users, organizations and groups reside. For example, an Oracle Access Manager instance may use Oracle Internet Directory as its policy and configuration store and point to an instance of Microsoft Active Directory for users and groups.
In addition, the identity stores can potentially be front-ended by Oracle Virtual Directory to virtualize the data sources.
To learn more about the different types of directory configuration for Oracle Access Manager, consult the 11g Oracle Access Manager documentation at Oracle Technology Network. Customers considering these variations should adjust their directory tier and Oracle Access Manager deployment accordingly.
Before you configure Oracle Access Manager, ensure that the following tasks have been performed on IDMHOST1 and IDMHOST2:
Install Oracle WebLogic Server as described in Section 4.5.3.
Install Oracle Identity and Access Management Suite as described in Section 4.6.3.
Install Oracle Internet Directory as described in Section 7.1 and Section 7.2.
Install Oracle Virtual Directory as described in Chapter 8.
This section contains the following topics:
Section 11.3.2, "Starting Oracle Access Manager Server on IDMHOST1"
Section 11.3.4, "Propagating the Domain Changes to the Managed Server Domain Directory"
Start the configuration wizard by executing the command:
MW_HOME/oracle_common/common/bin/config.sh
Then proceed as follows:
On the Welcome screen, select Extend an Existing WebLogic Domain. Click Next.
On the Select a WebLogic Domain screen, using the navigator, select the domain home of the admin server, for example: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain.
Click Next
On the Select Extension Source screen, select Oracle Access Manager with Database Policy Store.
Click Next
The Configure RAC Multi Datasources screen shows the Multi Datasources if you have Oracle Directory Integration Platform or ODSM configured in your domain. Do not make any changes.
Click Next.
On the Configure JDBC Data Sources screen select the datasource OAM Infrastructure.
Select Configure selected data sources as RAC multi data sources in the next panel.
Click Next.
On the Configure RAC Multi Data Sources Screen:
Service Name: Service name of the database that contains the OAM repository (idmedg.mycompany.com)
User Name: EDG_OAM
Password: Password for user EDG_OAM
In the top right box, click Add to add the second Oracle RAC node.
Host Name: INFRADBHOST1
Instance Name: idmdb1
Port: 1521
Click Add again to add the second database host:
Host Name: INFRADBHOST2
Instance Name: idmdb2
Port: 1521
Click Next.
On the Test Component Schema screen, the Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.
On the Select Optional Configuration screen, select Managed Servers, Clusters and Machines.
Click Next
When you first enter the Configure Managed Servers screen, the configuration wizard will have created a default managed server for you. AT this point, you must do two things:
Change the values of the default managed server.
Add a second managed server and supply values for it.
That is, you must change the existing entry and add one new entry.
Do not change the configuration of any managed servers which have already been configured as part of previous application deployments.
For the default OAM server (oam_server) entry, change the following values:
Name: WLS_OAM1
Listen Address: IDMHOST1
To add the second OAM Server, click Add and supply the following values:
Name: WLS_OAM2
Listen Address: IDMHOST2
Listen Port: 14100
Leave all the other fields at the default settings.
Click Next.
On the Configure Clusters screen, create a cluster by clicking Add. Supply the following information:
Name: cluster_oam
Cluster Messaging Mode: unicast
Leave all other fields at the default settings and click Next.
On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.
The cluster_oam will have the managed servers WLS_OAM1 and WLS_OAM2.
Note:
Do not change the configuration of any clusters which have already been configured as part of previous application deployments.Click Next.
On the Configure Machines screen, create a machine for each host in the topology. Click on the tab UNIX if your hosts use Linux or a UNIX-based operating system. Otherwise, click on machines. Supply:
Name: The name of the host. Best practice is to use the DNS name. For example: idmhost1.mycompany.com and idmhost2.mycompany.com for the first and second nodes respectively.
Node Manager Listen Address: The DNS name of the machine. For example: idmhost1.mycompany.com and idmhost2.mycompany.com for the first and second nodes respectively.
Node Manager Port: A port for node manager to use.
If you have already configured Oracle Directory Integration Platform or ODSM, machines will already exist for those hosts.
Click Next.
On the Assign Servers to Machines screen, indicate which managed servers will run on each of the machines you created.
Click a machine in the right pane.
Click the managed servers you want to run on that machine in the left pane.
Click the arrow to assign the managed servers to the machines. Repeat until all managed servers are assigned to machines. For example:
IDMHOST1: WLS_OAM1
IDMHOST2: WLS_OAM2
Click Next to continue.
On the Configuration Summary screen, click Extend to extend the domain.
Note:
If you receive a warning that says:CFGFWK: Server listen ports in your domain configuration conflict with ports in use by active processes on this host
Click OK.
This warning appears if managed servers have been defined as part of previous installs and can safely be ignored.
Restart the Administration server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Start Oracle Access Manager on IDMHOST1 by following the start procedures in Section 19.1, "Starting and Stopping Oracle Identity Management Components" for:
Admin Server (Restart if already running).
Node Manager (if it is not already started)
WebLogic Managed Server WLS_OAM1
By default, the IDMDomain Agent provides single sign-on capability for administration consoles. In enterprise deployments, WebGate handles single sign-on, so you need to remove the IDMDomain agent. Remove the IDMDomain Agent as follows:
Log in to the WebLogic console using the URL: http://admin.mycompany.com/console
Then:
Select Security Realms from the Domain Structure Menu
Click myrealm.
Click the Providers tab.
Click on Lock and Edit from the Change Center.
Select IDMDomainAgent from the list of authentication providers.
Click Delete.
Click Yes to confirm the deletion.
Click Activate Changes from the Change Center.
Restart the Adminisration server and ALL running managed servers, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
To propagate the start scripts and classpath configuration from the Administration Server's domain directory to the managed server domain directory, proceed as follows:
Run the pack command on IDMHOST to create a template pack. Type the following commands:
IDMHOST1> cd MW_HOME/oracle_common/common/bin IDMHOST1> ./pack.sh -managed=true -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain -template=idmdomaintemplate.jar -template_name=IDMDomain_Template
Run the unpack command on IDMHOST1 to unpack the propagated template to the domain directory of the managed server. Type the following command:
IDMHOST1> ./unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/mserver/IDMDomain/ -template=idmdomaintemplate.jar -overwrite_domain=true -app_dir=ORACLE_BASE/admin/IDMDomain/mserver/applications
Restart managed server WLS_OAM1.
This section contains the following topics:
Section 11.4.1, "Deploying Oracle Access Manager on IDMHOST2"
Section 11.4.2, "Updating Node Manager Properties File on IDMHOST2"
Section 11.4.3, "Starting Oracle Access Manager Server on IDMHOST2"
Once the configuration has succeeded on IDMHOST1, you can propagate the configuration to IDMHOST2. You do this by packing the domain on IDMHOST1, using the pack script, and unpacking it on IDMHOST2 using the unpack script. Both scripts reside in MW_HOME/oracle_common/common/bin.
Type:
pack.sh -domain=ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/ -template=/tmp/IDMDomain.jar -template_name="OAM Domain" -managed=true
This creates a file called IDMDomain.jar in the /tmp directory. Copy this file to IDMHOST2.
Unpack the file on IDMHOST2 by using the unpack utility:
./unpack.sh -domain=ORACLE_BASE/admin/IDMDomain/mserver/IDMDomain -template=MW_HOME/templates/IDMDomain.jar -overwrite_domain=true -app_dir=ORACLE_BASE/admin/IDMDomain/mserver/applications
Start the Node Manager on IDMHOST2 to create the nodemanager.properties file by using the startNodemanager.sh script located under the MW_HOME/wlserver_10.3/server/bin directory.
Before you can start the managed servers by using the console, node manger requires that the property StartScriptEnabled is set to true. You set it by running the setNMProps.sh script located under the MW_HOME/oracle_common/common/bin directory.
prompt> MW_HOME/oracle_common/common/bin
prompt> ./setNMProps.sh
Stop and Start the node manager as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"so that the properties take effect.
Start Oracle Access Manager on IDMHOST2 by following the start procedures in Section 19.1, "Starting and Stopping Oracle Identity Management Components" for:
Node Manager
WebLogic Managed Server WLS_OAM
This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier.
This section contains the following topics:
Section 11.5.2, "Making Oracle Access Manager Server Aware of Load balancer"
Section 11.5.3, "Configuring Oracle HTTP Servers to Display Login Page"
Section 11.5.4, "Configuring Oracle HTTP Servers to Access Oracle Access Manager Console"
Before proceeding, ensure that the following tasks have been performed:
Install Oracle Web Tier on WEBHOST1 and WEBHOST2.
Install and configure Oracle Access Manager on IDMHOST1 and IDMHOST2.
Configure the loadbalancer with a virtual hostname (sso.myconpany.com) pointing to the webservers on WEBHOST1 and WEBHOST2.
Configure the loadbalancer with a virtual hostname (admin.mycompany.com) pointing to webservers WEBHOST1 and WEBHOST2.
By default, Oracle Access Manager sends requests to the login page located on the local server. In an Enterprise deployment this needs to be changed so that login page requests are sent to the load balancer. Proceed as follows:
Log in to the OAM Console at: http://IDMHOST1.mycompany.com/oamconsole as the weblogic user.
Click the System Configuration tab.
Double click Server Instances.
Click SSO Engine tab.
Enter the following information:
OAM Server Host: sso.mycompany.com
OAM Server Port: 443
OAM Server Protocol: https
Click Apply.
Restart managed servers WLS_OAM1 and WLS_OAM2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
On each of the web servers on WEBHOST1 and WEBHOST2 create a file called oam.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf.
This file must contain the following information:
<Location /oam>
SetHandler weblogic-handler
WebLogicCluster idmhost1.mycompany.com:14100,idmhost2.mycompany.com:14100
</Location>
On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 6.9, "Configuring Oracle HTTP Server for the Administration Server".) Edit this file and add the following lines within the virtual host definition:
<Location /oamconsole> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location>
After editing the file should look like:
NameVirtualHost *:80 <VirtualHost *:80> ServerName admin.mycompany.com:80 ServerAdmin [email protected] RewriteEngine On RewriteOptions inherit RewriteRule ^/console/jsp/common/logout.jsp /oamsso/logout.html [PT] RewriteRule ^/em/targetauth/emaslogout.jsp /oamsso/logout.html [PT] # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /oamconsole> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location> </VirtualHost>
Then edit ORACLE_INSTANCE/config/OHS/component/httpd.conf. Comment out the following lines by inserting a # at the beginning, so that they look like this:
#*******Default Login page alias*** #Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso" #<LocationMatch "/oamsso/*"> #Satisfy any #</LocationMatch> #**********************************
Restart the Oracle HTTP Server, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Attempt to access the OAM application using the URL: sso://mysso.mycompany.com:443/oam
The Oracle Access Manager screen will be displayed. A message saying Action Failed will appear on the screen. You can ignore the message because all we are testing is that the OAM server can be accessed via the Load Balancer.
Attempt to Access the OAM console at: http://admin.mycompany.com/oamconsole
In High Availability configurations, you must change the Request Cache type from BASIC to COOKIE. You change it by using wlst, as follows.
Set up the environment for wlst by running the command
. DOMAIN_HOME/bin/setDomainEnv.sh
Start wlst by issuing the command:
IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to your domain:
wls:/offline> connect()
Enter WebLogic Administration username and password.
Enter the URL for the WebLogic Administration Server in the format:
t3://IDMHOST1.mycompany.com:7001
Issue the command:
wls:/IDMDomain/serverConfig> configRequestCacheType(type="COOKIE")
Verify that the command has worked by issuing the command:
wls:/IDMDomain/serverConfig> displayRequestCacheType()
Exit WLS tool by issuing the command:
wls:/IDMDomain/serverConfig> exit()
Restart managed servers WLS_OAM1 and WLS_OAM2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
By default, Oracle Access Manager uses its own in built-in LDAP server. In the architecture we are building we use Oracle Virtual Directory (in front of Oracle Internet Directory) as our directory store. We modify Oracle Access Manager to use this directory store by using the Oracle Access Manager Console.
This section contains the following topics:
Prior to performing this step, ensure that there is a group in your LDAP store for Oracle Access Manager administrators, such as OAMAdministrator, and that a user such as oamadmin exists in that group.
To do this create the following files:
dn: cn=oamadmin,cn=Users,dc=mycompany,dc=com cn: oamadmin sn: oamadmin description: oamadmin uid: oamadmin objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 userpassword: mypasswd
dn: cn=OAMAdministrator,cn=Groups,dc=mycompany,dc=com cn: OAMAdministrator displayname: OAMAdministrator description: OAMAdministrator uniquemember: cn=oamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup
Load the user and group into ldap using the following commands:
ldapadd -h myoid.myompany.com -p 389 -D cn="orcladmin" -q -c -v -f oam_user.ldif ldapadd -h myoid.mycompany.com -p 389 -D cn="orcladmin" -q -c -v -f oam_group.ldif
Note:
These steps must be performed from the LDAP server.Before starting the configuration backup the current configuration, so that should anything untoward happen the original configuration can be restored.
To achieve this, make a copy of the files oam-config.xml and oam-policy.xml. These files are located in the directory: DOMAIN_HOME/config/fmwconfig.
Go to the Oracle Access Manager console at the URL: http://adminvhn.mycompany.com:7001/oamconsole
Log in using the WebLogic administration user.
Click Add User Identity Store.
Name: LDAP_DIR
Ldap Provider: OVD
LDAP URL: ldap://ovd.mycompany.com:389
Principal: cn=orcladmin
Credential: orcladmin password
User Search Base: cn=Users,dc=mycompany,dc=com
Group Search Base: cn=Groups,dc=mycompany,dc=com
User Name Attribute: uid
OAM Administrator's Role: OAMAdministrator
Click Apply.
Click Test Connection to Validate the connection to the LDAP server.
Now that you have defined the LDAP identity store, you must set it as the primary authentication store. You do this by using the Oracle Access Manager console, as follows:
Click the System Configuration Tab
Select Data Sources - User Identity Stores from the navigation pane.
Click LDAP_DIR
Select Open from the Actions menu.
Click Set as Primary
Test the connection by clicking Test Connection
Restart the managed servers Admin Server, WLS_OAM1 and WLS_OAM2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the configuration by logging in to the Oracle Access Manager console as the user oamadmin. You can access the console at: http://admin.mycompany.com/oamconsole.
The Identity Management Domain comes preconfigured with a number of default policies to protect such things as administration consoles. In addition, it is recommended that you create policy groups to hold any policies you create.
The policy groups you create are largely dependent on your environment and the way you want to store your policy information. In this section of the guide, we will create two Policy Groups:
Oracle Access Manager-Protected Resources: This policy group is used to hold details of resources that are protected by the OAM user/password policy.
Oracle Adaptive Access Manager-Protected Resources: This policy group is used to hold details of resources that are protected using OAAM.
This section contains the following topics:
Section 11.8.1, "Creating Oracle Access Manager Policy Group"
Section 11.8.2, "Creating Oracle Adaptive Access Manager Policy Group"
To create the OAM Policy Group perform the following steps:
Log in to the OAM console at: http://admin.mycompany.com using the oamadmin account created previously.
From the Navigation Window expand: Application Domains > IDMDomainAgent.
Click Authentication Policies
Click Create on the tool bar (below the Browse tab).
Enter the following information:
Name: OAM Protected Resources
Authentication Scheme: LDAPScheme
Click Apply.
This group is only required if you are planning to include OAAM in your topology.
From the Navigation Window expand: Application Domains > IDMDomainAgent.
Click Authentication Policies.
Click Create on the tool bar (below the Browse tab).
Enter the following information:
Name: OAAM Protected Resources
Authentication Scheme: OAAMAdvanced
Click Apply.
Validate Oracle Access Manager by protecting a simple resource.
For testing purposes, it is good practice to create a simple HTML page, which you can use to test the functionality of OAM.
This section contains the following topics:
Create a test page called sso.html on WEBHOST1 and WEBHOST2. The easiest way to do this is to create a file called sso.html in the directory ORACLE_INSTANCE/config/OHS/component_name/htdocs with the following content:
<html> <body> <center> <p> <h2> SSO Protected Resource </h2> </p> </center> </body> </html>
Now that you have something to protect, you need to create a resource in OAM and assign it to one of the policy groups you created above.
Log in to the OAM console at: http://admin.mycompany.com/oamconsole using the oamadmin account created previously.
From the Navigation window expand: Application Domains > IDMDomainAgent.
Click Resources.
Click Create on the tool bar below the Browse tab).
Enter the following information:
Type: http
Host Identifier: IDMDomain
Resource URL: /sso.html
Click Apply.
Now that the resource exists, assign it to one of the policy groups you just created.
Log in to the OAM console at: http://admin.mycompany.com/oamconsole using the oamadmin account created previously.
From the Navigation window expand: Application Domains > IDMDomainAgent > Authentication Policies.
Click OAM Protected Resources.
Click Edit on the tool bar below the Browse tab.
In the Resources box, click +.
From the list, select the resource you created above.
Click Apply.
All that remains is to add the resource to the list of protected resources. To do this, log in to the OAM console at: http://admin.mycompany.com using the oamadmin account created previously.
From the Navigation window expand: Application Domains > IDMDomainAgent > Authorization Policies.
Click Protected Resource Policy.
Click Edit on the tool bar below the Browse tab.
In the Resources box, click +.
From the list, select the resource you just created.
Click Apply.
To validate that Oracle Access Manager is working correctly:
Install Oracle Webgate as described in Section 18.2, "Installing and Configuring WebGate".
Access your protected resource using the URL: https://sso.mycompany.com:443/sso.html.
The OAM Login page is displayed. Log in as an authorised OAM user, for example: oamadmin. Once you are logged in, the oam protected resource is displayed.
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to the Oracle Database Backup and Recovery Advanced User's Guide.
To back up the installation to this point, follow these steps:
Back up the web tier as described in Section 5.6, "Backing up the Web Tier Configuration."
Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. You can also use operating system tools such as tar for cold backups.
Back up the Administration Server domain directory as described in Section 6.14, "Backing Up the WebLogic Domain."
Back up the Oracle Internet Directory as described in Section 7.5, "Backing up the OID Configuration."
Back up the Oracle Virtual Directory as described in Section 8.5, "Backing Up the Oracle Virtual Directory Configuration."
For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."