Oracle Fusion Applications Installation: Configure Oracle Identity and Access Management components
Previous: Apply mandatory Patches
Configuring Oracle Identity Management components” can be divided into following tasks. Please note that we will not configure Oracle Virtual Directory, Oracle Identity Federation etc.
- Configure the Web Tier
- Create Weblogic Domain for Identity Management
- Extend the Domain to include Oracle Internet Directory
- Prepare Identity and Policy Stores
- Extend the Domain to include Oracle Directory Service Manager (ODSM)
- Extend the Domain to include Oracle Virtual Directory (Optional)
- Configure Oracle Access Manager 11g (OAM)
- Configure Oracle Identity Manager (OIM) and Oracle SOA Suite
-
Post-configure tasks
Configure Web Tier
Start the configuration from <Web_Home>/bin
[fusion@fmwhost ~]$ cd /app/fusion/fmw/web/bin/
[fusion@fmwhost bin]$ ./config.sh
Click Next
Select only Oracle HTTP Server and deselect other checkboxes. Click Next
Enter following details and click Next
Instance Home Location: /app/fusion/config/instances/web1
(Please note that the paths, instance/component name etc are different from what we used during 11.1.5 installation steps)
Instance Name: web1
OHS Component Name: ohs1
Select “Specify Ports using Configuration file”. Open another shell window and copy the staticports.ini from staging directory.
[fusion@fmwhost bin]$ cp -p /mnt/hgfs/setup/installers/webtier/Disk1/stage/Response/staticports.ini ~/
Click View/Edit File
Edit/uncomment the following values.
OPMN Local Port = 6700
OHS Port = 7777
Click Save
Deselect the check box and click Next
Click Yes
Review the summary and click Configure
Once installation is successful, click Next
Review the summary and click Finish
Check if the HTTP processes already started.
[fusion@fmwhost bin]$ ps -ef | grep http
fusion 5410 5383 1 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL
fusion 5419 5410 0 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL
fusion 5420 5410 0 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL
fusion 5422 5410 0 13:13 ? 00:00:00 /app/fusion/fmw/web/ohs/bin/httpd.worker -DSSL
fusion 5518 4052 0 13:14 pts/1 00:00:00 grep http
[fusion@fmwhost bin]$ vi /app/fusion/config/instances/web1/config/OHS/web1/httpd.conf
Change to following (dba or oinstall based on fusion user group)
User fusion
Group dba
Launch http://<hostname>:7777 to make sure that HTTP home page is appearing.
Make a backup of httpd.conf
[fusion@fmwhost bin]$ cp -pr /app/fusion/config/instances/web1/config/OHS/web1/httpd.conf /app/fusion/config/instances/web1/config/OHS/web1/httpd.conf.bak.original
…
<IfModule mpm_worker_module>
ServerLimit 20
StartServers 2
MaxClients 1000
MinSpareThreads 200
MaxSpareThreads 800
ThreadsPerChild 50
MaxRequestsPerChild 10000
AcceptMutex fcntl
LockFile “${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/http_lock”
</IfModule>
Restart Web server as follows.
Create Weblogic Domain for Identity Management
Start the configuration from <Middleware Home>/oracle_common/commin/bin
[fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl stopall
opmnctl stopall: stopping opmn and all managed processes…
[fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl startall
opmnctl startall: starting opmn and all managed processes…
[fusion@fmwhost bin]$ cd /app/fusion/fmw/oracle_common/common/bin/
[fusion@fmwhost bin]$ ./config.sh &
Select “Create a new Weblogic domain” and click Next
For single domain creation, select:
– Oracle Identity Manager 11.1.1.3.0 [iam]
– Oracle SOA Suite – 11.1.1.0 [soa]
– Oracle Enterprise Manager [oracle_common]
– Oracle Access Manager with Database Policy Store – 11.1.1.3.0 [iam]
– Oracle WSM Policy Manager – 11.1.1.0 [oracle_common]
– Oracle JRF [oracle_common] (This should be selected automatically.)
Click Next
Enter following values.
Domain Name: IDMDomain
Domain location: /app/fusion/config/domains
Application location: /app/fusion/config/domains/IDMDomain/applications
[Please note that above paths are different from what we used in previous installations]
Click Next
Enter name “weblogic” and desired password. Click Next
Select “Production Mode” and make sure correct JDK is selected. Click Next
Make sure to change each username to FA_ manually since we have modified the prefix earlier. Once that is changed, select all checkboxes to apply same password. Enter database server details and click Next
Once connection test is successful, click Next
Select “Administration Server” and “Managed servers, clusters and Machines”. Click Next
Enter following values.
Name: AdminServer
Listen address: <hostname>
Listen Port: <7001>
We are not using SSL here so click Next
In the “Configure Managed Servers” screen enter following values.
WLS_OAM1, <hostname>, 14100 (OAM Server)
WLS_SOA1, <hostname>, 8001 (SOA Server)
WLS_OIM1, <hostname>, 14000 (OIM Server)
Click Next
Click Next
Since we are using Unix machine, we must delete this entry. Click Delete
This tab should look like this now.
Click on “Unix Machine” tab and enter following values. And click Next
Name: <hostname>
Node Manager listen address: <hostname>
Node manager listen port: 5556
Import Note: Make sure to use machine name same as hostname. In this case change this to fmwhost.paramlabs.com instead of just fmwhost. Check this using “hostname” command on your OS, even though both point to same IP, the node manager treats both name as different machines.
Select all managed servers on left side and click on right arrow to assign all servers to our single node.
It should look as above. Click Next
Review the summary and click “Create“
Once creation is complete, click Done
Prepare Admin server for startup without prompting password
[fusion@fmwhost bin]$ mkdir -p /app/fusion/config/domains/IDMDomain/servers/AdminServer/security
[fusion@fmwhost bin]$ cd /app/fusion/config/domains/IDMDomain/servers/AdminServer/security
[fusion@fmwhost security]$ vi boot.properties
[fusion@fmwhost security]$ more boot.properties
username=weblogic
password=Oracle123 (whichever password you chose)
Note: The username and password entries in the file are not encrypted until you start the Administration Server. For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.
Configure and start Node Manager
[fusion@fmwhost security]$ cd /app/fusion/fmw/wlserver_10.3/server/bin/
[fusion@fmwhost bin]$ ./startNodeManager.sh
…
INFO: Secure socket listener started on port 5556
…
Once you see above messege, press CTRL+C to kill the process (if you started with “&” then kill using kill -9 command)
^C+ set +x
Set the node manager properties
[fusion@fmwhost bin]$ cd /app/fusion/fmw/oracle_common/common/bin
[fusion@fmwhost bin]$ ./setNMProps.sh
Appending required nodemanager.properties
To confirm the changes,
[fusion@fmwhost bin]$ tail -f /app/fusion/fmw/wlserver_10.3/common/nodemanager/nodemanager.properties
…
#Required NM Property overrides (append to existing nodemanager.properties)
StartScriptEnabled=true
Start node manager in nohup mode so that it keeps running after you close the shell.
[fusion@fmwhost bin]$ cd /app/fusion/fmw/wlserver_10.3/server/bin/
[fusion@fmwhost bin]$ nohup ./startNodeManager.sh &
Start Weblogic Admin server
[fusion@fmwhost bin]$ cd /app/fusion/config/domains/IDMDomain/bin/
[fusion@fmwhost bin]$ nohup ./startWebLogic.sh &
Wait till you see this message.
…
<Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
==========
Note: If you ever get error like
<Info> <Management> <BEA-141281> <unable to get file lock, will retry …>
Then do the following
Kill any running processes for startWeblogic.sh and then remove the lock files as follows.
-bash-3.2$ rm /app/fusion/config/domains/IDMDomain/servers/AdminServer/tmp/AdminServer.lok
This error appears if you the admin server or managed server did not stop properly earlier.
==========
Make sure Admin server is started properly by launching the URL http://<hostname>:7001/console
Login with “weblogic” user
Launch Enterprise Manager URL
Login with “weblogic” user
Setup HTTP Aliases
Create a file named admin.conf at <web instance directory>/config/OHS/ohs1/moduleconf and enter following lines
[fusion@fmwhost bin]$ more /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf
RewriteEngine On
RewriteOptions inherit
RewriteRule ^/em/targetauth/emaslogout.jsp “/oamsso/logout.html?end_url=/em” [R]
RewriteRule ^/console/jsp/common/logout.jsp “/oamsso/logout.html?end_url=/console” [R]
###################################
## General Domain Configuration
###################################
# Admin Server and EM
<Location /console>
SetHandler weblogic-handler
WebLogicHost fmwhost.paramlabs.com
WeblogicPort 7001
</Location>
<Location /consolehelp>
SetHandler weblogic-handler
WebLogicHost fmwhost.paramlabs.com
WeblogicPort 7001
</Location>
<Location /em>
SetHandler weblogic-handler
WebLogicHost fmwhost.paramlabs.com
WeblogicPort 7001
</Location>
Restart Web server
[fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl stopall
opmnctl stopall: stopping opmn and all managed processes…
[fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl startall
opmnctl startall: starting opmn and all managed processes…
Now you can launch the same URL using our main http port 7777
http://<hostname>:7777/console should open fine now
Register HTTP server with Enterprise Manager
[fusion@fmwhost bin]$ ./opmnctl registerinstance -adminHost fmwhost -adminport 7001 -adminUsername weblogic
Command requires login to weblogic admin server (fmwhost):
Username: weblogic
Password:
…
Done
Registering instance
Command succeeded.
Removing IDM Domain Agent
In the Administration console, click on “Security Realms” -> myrealm -> Providers
Select IAMSuiteAgent and click on Delete.
Activate Changes
Enable Weblogic Plugin
Open http://<hostname>:7777/console and login with weblogic user
Click Lock & Edit. Click on IDMDomain -> Configuration -> Web Applications
Scroll down and check “Weblogic Plugin Enabled“
Click on Environment -> Servers -> AdminServer -> Protocols -> HTTP. Change the Frontend port to 7777.
Activate Changes
Restart Welogic Admin Server
[fusion@fmwhost bin]$ cd /app/fusion/config/domains/IDMDomain/bin/
[fusion@fmwhost bin]$ ./stopWebLogic.sh
[fusion@fmwhost bin]$ nohup ./startWebLogic.sh &
Extend the Domain to include Oracle Internet Directory
Make sure that the port 3060 is not being used by other process.
[fusion@fmwhost bin]$ netstat -an | grep “3060″
Start the configuration from <IDM_HOME>/bin
[fusion@fmwhost bin]$ cd /app/fusion/fmw/idm/bin
[fusion@fmwhost bin]$ ./config.sh &
Click Next
Select “Configure Without A Domain” and click Next
Instance Location: /app/fusion/config/instances/oid1
Instance Name: oid1
Click Next
Deselect checkbox and click Next
Click Yes
Select “Oracle Internet Directory” and click Next
Select “Specify Ports using Configuration file”
Open a shell and copy the staticports.ini file to home directory
[fusion@fmwhost bin]$ cp -p /app/fusion/provisioning/idm/Disk1/stage/Response/staticports.ini ~/
Click View/Edit File
Enter/uncomment Value for Non-SSL Port as 3060
And for SSL Port put value as 3061
Click Save
Enter database details and click Next
Set Realm as the domain level DC (for example if domain is example.com then set dc=example, dc=com)
Click Next
Review the summary and click Configure
Once configuration completes, click Next
Review the summary and click Finish
Validate OID
[fusion@fmwhost bin]$ export ORACLE_HOME=/app/fusion/fmw/idm
[fusion@fmwhost bin]$ export ORACLE_INSTANCE=/app/fusion/config/instances/oid1
[fusion@fmwhost bin]$ export PATH=$ORACLE_HOME/opmn/bin:$ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_HOME/ldap/admin:$PATH
[fusion@fmwhost bin]$ ldapbind -h fmwhost -p 3060 -D “cn=orcladmin” -q
Please enter bind password:
bind successful
[fusion@fmwhost bin]$ ldapbind -h fmwhost -p 3061 -D “cn=orcladmin” -q -U 1
Please enter bind password:
bind successful
[fusion@fmwhost bin]$ opmnctl reload
opmnctl reload: reconfiguring opmn…
[fusion@fmwhost bin]$ opmnctl status agent
Processes in Instance: oid1
———————————+——————–+———+———
ias-component | process-type | pid | status
———————————+——————–+———+———
oid1 | oidldapd | 11217 | Alive
oid1 | oidldapd | 11221 | Alive
oid1 | oidmon | 11203 | Alive
EMAGENT | EMAGENT | 10839 | Alive
Registering Oracle Internet Directory with the WebLogic Server Domain
[fusion@fmwhost bin]$ export ORACLE_HOME=/app/fusion/fmw/idm
[fusion@fmwhost bin]$ export ORACLE_INSTANCE=/app/fusion/config/instances/oid1
[fusion@fmwhost bin]$ $ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost fmwhost -adminPort 7001 -adminUsername weblogic
Command requires login to weblogic admin server (fmwhost):
Username: weblogic
Password:
Registering instance
Command succeeded.
Update the Enterprise Manager Repository URL
[fusion@fmwhost bin]$ cd $ORACLE_INSTANCE/EMAGENT/EMAGENT/bin
[fusion@fmwhost bin]$ ./emctl switchOMS http://fmwhost:7001/em/upload
Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0.
Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.
SwitchOMS succeeded.
We can now verify whether this instance is registered for monitoring agent.
Login to http://<hostname>:7777/em using weblogic user
Click on Farm->Agent monitored targets.
Make sure that Agent URL is configured and it does not show “Needs Configuration”
Tune Oracle Internet Directory for Fusion Applications Installation
In EM console, select oid1 from farm tree. On right pan click on oid1->Administration->Shared Properties
Select Skip referral for search (in OID term orclskiprefinsql = 1)
Deselect Match DN (orclMatchDnEnabled = 0)
Click Apply
Now click on oid1->Administration->Server Properties
Set following values.
Number of Oracle Internet Directory LDAP Server Processes orclserverprocs 4
Number of DB Connections per Server Process orclmaxcc 4
Maximum Number of LDAP connections per Server Process orclmaxldapconns 4096
Restart OID processes to make sure that the changes are now in effect.
[fusion@fmwhost bin]$ /app/fusion/config/instances/oid1/bin/opmnctl stopall
opmnctl stopall: stopping opmn and all managed processes…
[fusion@fmwhost bin]$ /app/fusion/config/instances/oid1/bin/opmnctl startall
opmnctl startall: starting opmn and all managed processes…
[fusion@fmwhost bin]$ opmnctl status agent
Processes in Instance: oid1
———————————+——————–+———+———
ias-component | process-type | pid | status
———————————+——————–+———+———
oid1 | oidldapd | 17192 | Alive
oid1 | oidldapd | 17188 | Alive
oid1 | oidldapd | 17184 | Alive
oid1 | oidldapd | 17166 | Alive
oid1 | oidldapd | 17142 | Alive
oid1 | oidmon | 17104 | Alive
EMAGENT | EMAGENT | 17103 | Alive
Prepare Identity and Policy Stores
Prepare Policy store
Go to directory <IAM_HOME>/idmtools/bin
-bash-3.2$ cd /app/fusion/fmw/iam/idmtools/bin/
Source environment variables
-bash-3.2$ export ORACLE_HOME=/app/fusion/fmw/iam
-bash-3.2$ export JAVA_HOME=/app/fusion/jdk6
-bash-3.2$ export IDM_HOME=/app/fusion/fmw/idm
-bash-3.2$ export MW_HOME=/app/fusion/fmw
Create a file named policystore.props
[fusion@fmwhost bin]$ more policystore.props
POLICYSTORE_HOST: fmwhost.paramlabs.com
POLICYSTORE_PORT: 3060
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc=paramlabs,dc=com
POLICYSTORE_CONTAINER: cn=idm_jpsroot
[fusion@fmwhost bin]$ ./idmConfigTool.sh -configPolicyStore input_file=policystore.props
Enter Policy Store Bind DN password :
…
Enter User Password for PolicyROUser:
Confirm User Password for PolicyROUser:
…
Enter User Password for PolicyRWUser:
Confirm User Password for PolicyRWUser:
Check for errors in the log file.
-bash-3.2$ grep -i error automation.log
Note: While running this command, you might see the following error message:
WARNING: Error in adding in-memory OID search filters.
You may safely ignore this error.
Run following commands to reassociate Security Store
[fusion@fmwhost bin]$ cd /app/fusion/fmw/oracle_common/common/bin/
[fusion@fmwhost bin]$ ./wlst.sh
wls:/offline> connect(“weblogic”,”Oracle123″,”t3://fmwhost.paramlabs.com:7001″)
Connecting to t3://fmwhost.paramlabs.com:7001 with userid weblogic …
Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDMDomain’.
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
wls:/IDMDomain/serverConfig> reassociateSecurityStore(domain=”IDMDomain”, admin=”cn=orcladmin”,password=”Oracle123″, ldapurl=”ldap://fmwhost.paramlabs.com:3060″,servertype=”OID”, jpsroot=”cn=idm_jpsroot”)
wls:/IDMDomain/serverConfig> exit()
Restart Admin Server
Prepare Identity Store
[fusion@fmwhost bin]$ more idstore.props
# Common
IDSTORE_HOST: fmwhost.paramlabs.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=paramlabs,dc=com
IDSTORE_SEARCHBASE: dc=paramlabs,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=paramlabs,dc=com
POLICYSTORE_SHARES_IDSTORE: true
# OAM
IDSTORE_OAMADMINUSER:oamadmin
IDSTORE_OAMSOFTWAREUSER:oamLDAP
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
# OAM and OIM
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=paramlabs,dc=com
# OIM
IDSTORE_OIMADMINGROUP: OIMAdministrators
IDSTORE_OIMADMINUSER: oimLDAP
# Required due to bug
IDSTORE_OAAMADMINUSER : oaamadmin
# Fusion Applications
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_SUPERUSER: weblogic_fa
# Weblogic
IDSTORE_WLSADMINUSER : weblogic_idm
[fusion@fmwhost bin]$ ./idmConfigTool.sh -preConfigIDStore input_file=idstore.props
Enter ID Store Bind DN password :
Check the log for errors
[fusion@fmwhost bin]$ grep -i error automation.log
The above commands will automatically create a file named idmDomainConfig.param file. This is an important file and we will seed the values from this file to the response file.
[fusion@fmwhost bin]$ more idmDomainConfig.param
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=paramlabs,dc=com
POLICYSTORE_PORT: 3060
IDSTORE_HOST: fmwhost.paramlabs.com
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_PORT: 3060
POLICYSTORE_CONTAINER: cn=idm_jpsroot
IDSTORE_USERSEARCHBASE: cn=Users,dc=paramlabs,dc=com
POLICYSTORE_HOST: fmwhost.paramlabs.com
POLICYSTORE_READWRITE_USERNAME: cn=PolicyRWUser,cn=users,dc=paramlabs,dc=com
Creating Users and Groups
Run following command.
[fusion@fmwhost bin]$ ./idmConfigTool.sh -prepareIDStore mode=all input_file=idstore.props
Enter ID Store Bind DN password :
…
Enter User Password for IDROUser:
Confirm User Password for IDROUser:
…
Enter User Password for IDRWUser:
Confirm User Password for IDRWUser:
…
Enter User Password for weblogic_fa:
Confirm User Password for weblogic_fa:
…
Enter User Password for weblogic_idm:
Confirm User Password for weblogic_idm:
…
Enter User Password for oblixanonymous:
Confirm User Password for oblixanonymous:
…
Enter User Password for oamadmin:
Confirm User Password for oamadmin:
…
Enter User Password for oamLDAP:
Confirm User Password for oamLDAP:
…
Enter User Password for oaamadmin:
Confirm User Password for oaamadmin:
…
Enter User Password for oimLDAP:
Confirm User Password for oimLDAP:
…
Enter User Password for xelsysadm:
Confirm User Password for xelsysadm:
The tool has completed its operation. Details have been logged to automation.log
[fusion@fmwhost bin]$ grep -i error automation.log
WARNING: Error in adding in-memory OID search filters
Note: We are not using Oracle Virtual Directory (OVD) since this is optional component so skipping OVD part
Extend the Domain to include Oracle Directory Service Manager (ODSM)
Make sure that the port 7006 is not being used by any process.
[fusion@fmwhost bin]$ netstat -an | grep 7006Start the configuration from <IDM_HOME>/bin
[fusion@fmwhost bin]$ cd /app/fusion/fmw/idm/bin/
[fusion@fmwhost bin]$ ./config.sh &
Click Next
Select “Extend Existing Domain” and enter following values
Hostname: <hostname>
Port: 7001
Username: weblogic
Password: same as existing weblogic password
Click Next
Click Yes
Enter following values.
Weblogic Server Directory: /app/fusion/fmw/wlserver_10.3
Instance location: /app/fusion/config/instances/ods1
Instance Name: ods1
Click Next
Deselect checkbox and click Next
Click Yes
Select only Oracle Directory Service Manager and click Next
Select “Specify Ports using Configuration file”. Open another shell window and copy the staticports.ini from staging directory.
[fusion@fmwhost bin]$ cp -p /app/fusion/provisioning/idm/Disk1/stage/Response/staticports.ini ~/
Click View/Edit File
Edit/uncomment ODS server Port No = 7006
Click Save
Review the summary and click Configure
Once configuration completes, click Next
Review the summary and click Finish
Check if wls_ods1 is already up in Enterprise Manager at http://<hostname>:7777/em
If not up the start by following commands.
[fusion@fmwhost IDMDomain]$ cp -pr /app/fusion/config/domains/IDMDomain/servers/AdminServer/security/boot.properties /app/fusion/config/domains/IDMDomain/servers/wls_ods1/security/
[fusion@fmwhost IDMDomain]$ cd /app/fusion/config/domains/IDMDomain/bin/
[fusion@fmwhost IDMDomain]$ nohup ./startManagedWebLogic.sh wls_ods1 &
Wait till you see RUNNING in the nohup.log file
Launch ODSM using following URL
Create Aliases for ODSM in HTTP server
[fusion@fmwhost bin]$ vi /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf
<Append following lines>
# ODSM
<Location /odsm>
SetHandler weblogic-handler
WebLogicCluster fmwhost.paramlabs.com:7006
</Location>
Restart Web Server as follows
[fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl stopall
opmnctl stopall: stopping opmn and all managed processes…
[fusion@fmwhost bin]$ /app/fusion/config/instances/web1/bin/opmnctl startall
opmnctl startall: starting opmn and all managed processes…
Now you can also launch ODSM using following URL
Click on Connect to a directory ->
Create A New Connection
Enter values as above. Click Connect
You can now view the Oracle Internet Directory from ODSM
You can also browse the OID data as above
Configure Oracle Access Manager (OAM)
Append following entries in /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf
##############################################
## Entries Required by Oracle Access Manager
##############################################
# OAM console
<Location /oamconsole>
SetHandler weblogic-handler
WebLogicHost fmwhost.paramlabs.com
WebLogicPort 7001
</Location>##############################################
## Entries Required by Oracle Access Manager
##############################################
# OAM
<Location /oam>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WebLogicCluster fmwhost.paramlabs.com:14100
</Location>##############################################
## Entries Required by Fusion Applications
##############################################
# FAAuthScheme
<Location /fusion_apps>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WebLogicCluster fmwhost.paramlabs.com:14100
</Location>Restart Web Server as follows.
[fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl stopallopmnctl stopall: stopping opmn and all managed processes…
[fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl startall
opmnctl startall: starting opmn and all managed processes…
Go to <IAM_HOME>/idmtools/bin
[fusion@fmwhost bin]$ export ORACLE_HOME=/app/fusion/fmw/iam
[fusion@fmwhost bin]$ export MW_HOME=/app/fusion/fmw
[fusion@fmwhost bin]$ export JAVA_HOME=/app/fusion/jdk6
[fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/idmtools/bin
Create a file named config_oam1.props
[fusion@fmwhost bin]$ more config_oam1.props
WLSHOST: fmwhost.paramlabs.com
WLSPORT: 7001
WLSADMIN: weblogic
WLSPASSWD: Oracle123
IDSTORE_HOST: fmwhost.paramlabs.com
IDSTORE_PORT: 3060
IDSTORE_DIRECTORYTYPE:OID
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=paramlabs,dc=com
IDSTORE_SEARCHBASE: dc=paramlabs,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=paramlabs,dc=com
IDSTORE_OAMSOFTWAREUSER: oamLDAP
IDSTORE_OAMADMINUSER: oamadmin
PRIMARY_OAM_SERVERS: fmwhost.paramlabs.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM
OAM11G_IDM_DOMAIN_OHS_HOST:fmwhost.paramlabs.com
OAM11G_IDM_DOMAIN_OHS_PORT:7777
OAM11G_IDM_DOMAIN_OHS_PROTOCOL:http
OAM11G_WG_DENY_ON_NOT_PROTECTED: false
OAM_TRANSFER_MODE: open
OAM11G_OAM_SERVER_TRANSFER_MODE:open
OAM11G_IDM_DOMAIN_LOGOUT_URLS:/console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_WEBGATE_PASSWD: Oracle123
COOKIE_DOMAIN: .paramlabs.com
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM11G_SSO_ONLY_FLAG: true
OAM11G_OIM_INTEGRATION_REQ: true
OAM11G_IMPERSONATION_FLAG:true
OAM11G_SERVER_LBR_HOST:fmwhost.paramlabs.com
OAM11G_SERVER_LBR_PORT:7777
OAM11G_SERVER_LBR_PROTOCOL:http
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_OIM_OHS_URL:http://fmwhost.paramlabs.com:7777/
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
Keep a backup of idmDomainConfig.param for safety
[fusion@fmwhost bin]$ cp -pr idmDomainConfig.param idmDomainConfig.param.preOAM
Run the following command to Configure OAM
[fusion@fmwhost bin]$ ./idmConfigTool.sh -configOAM input_file=config_oam1.props
Enter ID Store Bind DN password :
Enter User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
Confirm User Password for IDSTORE_PWD_OAMSOFTWAREUSER:
Enter User Password for IDSTORE_PWD_OAMADMINUSER:
Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
…
The tool has completed its operation. Details have been logged to automation.log
[fusion@fmwhost bin]$ grep -i error automation.log
WARNING: Error in adding in-memory OID search filters
Restart Admin server and all managed servers
Validate OAM
Login to OAM Console using oamadmin user
http://fmwhost:7777/oamconsole/
In System Configuration tab, click Access Manager Settings -> SSO Agents-> OAM Agents. Search for all agents.
Edit Webgate_IDM agent
Set Max. number of Connections to 4 for each primary servers (in our case only one host is there)
Do the same for Webgate_IDM_11g agent
Set Max. number of Connections to 4 for each primary servers (in our case only one host is there)
In Policy Configurations tab, Host identifiers->IAMSuiteAgent-> Make sure our hostname and the default http port is mentioned. If already there then nothing to change in this screen.
Adding the oamadmin Account to Access System Administrators
The oamadmin user is assigned to the Oracle Access Manager Administrators group, which is in turn assigned to the Access System Administrators group. Fusion Applications, however, requires the oamadmin user to be explicitly added to that role.
To do this, perform the following steps:
1. Log in to the oamconsole at http://<hostname>:7777/oamconsole
2. Click the System Configuration tab.
3. Expand Data Sources – User Identity Stores.
4. Click OIMIDStore.
5. Click Open.
6. Click the + symbol next to Access System Adminsitrators.
7. Type oamadmin in the search box and click Search.
8. Click the returned oamadmin row, then click Add Selected.
9. Click Apply.
Click Apply.
Create Oracle Access Manager Policies for WebGate 11g
In order to allow WebGate 11g to display the credential collector, you must add /oam to the list of public policies.
Proceed as follows:
1. Log in to the OAM console
2. Select the Policy Configuration tab.
3. Expand Application Domains – IAM Suite
4. Click Resources.
5. Click Open.
6. Click New resource.
7. Provide the following values:
Type:
HTTPDescription:
OAM Credential Collector
Host Identifier:
IAMSuiteAgentResource URL:
/oamProtection Level:
UnprotectedAuthentication Policy:
Public Policy8. Click Apply.
Click Apply
Updating Oracle Access Manager System Parameters
1. Log in to the OAM console at http://<hostname>:7777/oamconsole as the WebLogic administration user.
2. Select the System Configuration tab.
3. Click Common Settings under the Common Configuration entry.
4. Click Open.
5. Set the following values:
Idle Timeout (minutes): 120
Session Lifetime: 120
Maximum Number of Sessions per user: 200
6. Click Apply
Restart OAM
Configure Oracle Identity Manager (OIM) and Oracle SOA Suite
Start the configuration from <IAM_HOME>/bin
[fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/bin/
[fusion@fmwhost bin]$ ./config.sh &
Click Next
Select only “OIM Server” and click Next
Enter database details. Make sure to use correct prefix as we selected earlier (in our case PROD). ClickNext
Admin server URL: t3://<hostname>:7001
Username and password of weblogic user
Click Next
Enter required password and OIM HTTP URL as http://<hostname>:14000
Click Next
Check “Enable LDAP Sync” and click Next
Enter following values
Directory Server Type: OID
ID: oid1
URL: ldap://<hostname>:3060
User: cn=oimLDAP,cn=systemids,dc=<domain>,dc=<com>
Click Next
Enter following values
Role Container: cn=Groups,dc=<domain>,dc=<com>
User Container: cn=Users,dc=<domain>,dc=<com>
Reservation Container: cn=Reserve,dc=<domain>,dc=<com>
Click Next
Review summary and click Configure
Once configure completes, click Next
Review and click Finish
Launch OIM URL
Important Note: If you get HTTP 404
error for OIM or if you see following errors in OIM log files (even if OIM status shows as “RUNNING” in admin console) then OIM has not come up properly. You can see this in EM and it will show OIM as down.<Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment request with ID ‘1356332711618′ for task ‘1′. Error is: ‘weblogic.management.DeploymentException: [J2EE:160149]Error while processing library references. Unresolved application library references, defined in weblogic-application.xml: [Extension-Name: oracle.sdp.client, exact-match: false].’
weblogic.management.DeploymentException: [J2EE:160149]Error while processing library references. Unresolved application library references, defined in weblogic-application.xml: [Extension-Name: oracle.sdp.client, exact-match: false].
at weblogic.application.internal.flow.CheckLibraryReferenceFlow.prepare(CheckLibraryReferenceFlow.java:26)
at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:648)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:59)
Truncated. see log file for complete stacktrace
As per metalink Note: 1328471.1 following needs to be done to fix this.
Admin console->Deplyments->go to oracle.sdp.client page
Select Lock & Edit on left pan and on right pan click the checkboxes for WLS_OIM1 and WLS_SOA1
Restart OIM
Now launch OIM URL again.
Login with xelsysadm user
Enter answers for challenge questions.
If you have not applied post-steps for patch 13399365 properly then you might get following errors.
oracle.iam.platform.kernel.OrchestatrionException
“ADF_FACES-60097 : For more information, please see the server’s error log for an entry beginning with: ADF_FACES-60096: Server Exception during PPR, #8″
Internal Exception: java.sql.SQLSyntaxErrorException: ORA-00904: “CONTEXTVAL”: invalid identifier
Error Code: 904
Call: INSERT INTO ORCHPROCESS (ID, BULKPARENTID, CHANGETYPE, CONTEXTVAL, CREATEDON, ENTITYID, ENTITYTYPE, MODIFIEDON, OPERATION, ORCHESTRATION, ORCHTARGET, PARENTPROCESSID, RETRY, SEQUENCE, STAGE, STATUS) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
bind => [16 parameters bound]
This is because following column might not be available in PROD_OIM. ORCHPROCESS table. The post steps for above patch create this column.
CONTEXTVAL CLOB
Apply Post steps for patch 13399365 to fix this issue as follows.
[fusion@fmwhost patch]$ cd /mnt/hgfs/setup/installers/idm/patch/13399365
[fusion@fmwhost 13399365]$ mv /app/fusion/fmw/iam/server/bin/weblogic.profile /app/fusion/fmw/iam/server/bin/weblogic.profile_bak
[fusion@fmwhost 13399365]$ cp -p sample_weblogic.profile.fa /app/fusion/fmw/iam/server/bin/weblogic.profile
[fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/server/bin/
[fusion@fmwhost bin]$ more weblogic.profile
# For passwords if you dont want to put password </optional> in this file just comment it out from here, you will be promted for it in rumtime.
#Neccessary env variables [Mandatory]
ant_home=/app/fusion/fmw/modules/org.apache.ant_1.7.1
java_home=/app/fusion/jdk6
mw_home=/app/fusion/fmw
oim_oracle_home=/app/fusion/fmw/iam
#DB configuration variables [Mandatory]
operationsDB.user=FA_OIM
# Database password is optional. if you want to give it on terminal itself leave it commented. Otherwise uncomment it.
OIM.DBPassword=Oracle123
operationsDB.driver=oracle.jdbc.OracleDriver
operationsDB.host=fdbhost.paramlabs.com
operationsDB.serviceName=fusiondb
operationsDB.port=1521
appserver.type=wls
isMTEnabled=false
# If you have milty-tenancy enabled in your environment
mdsDB.user=FA_MDS
#Password is optional, if you want to give it on terminal itself leave it commented. Otherwise uncomment it.
mdsDB.password=Oracle123
mdsDB.host=fdbhost.paramlabs.com
mdsDB.port=1521
mdsDB.serviceName=fusiondb
#For domain level configurations [Mandatory]
# put here your admin server related credentials
weblogic_user=weblogic
#Password is optional, if you want to give it on terminal itself leave it commented. Otherwise uncomment it.
weblogic_password=Oracle123
weblogic_host=fmwhost
weblogic_port=7001
weblogic.server.dir=/app/fusion/fmw/wlserver_10.3
#oim specific domain level parameters [Mandatory]
oimserver_host=fmwhost.paramlabs.com
oimserver_port=14000
oim_managed_server=WLS_OIM1
oim_domain_dir=/app/fusion/config/domains/IDMDomain
isSODEnabled=false
#SOA specific details [Mandatory]
soa_home=/app/fusion/fmw/SOA
soa_managed_server=WLS_SOA1
soaserver_host=fmwhost.paramlabs.com
soaserver_port=8001
#put here the name of the targets of taskdetails. in non cluster it will be soa server name and in cluster it will be something like cluster_soa
taskdetails_target_name=WLS_SOA1
isOHSEnabled=true
#Following params is needed only if you have enabled OHS in your env
ohs_home=/app/fusion/fmw/web
#If your env is FA, you can set this var false or ignore this if your env is non FA.
isFAEnabled=true
Now let’s apply the weblogic patch script.
[fusion@fmwhost bin]$ export MW_HOME=/app/fusion/fmw
[fusion@fmwhost bin]$ export JAVA_HOME=/app/fusion/jdk6
[fusion@fmwhost bin]$ export ANT_HOME=/app/fusion/fmw/modules/org.apache.ant_1.7.1
[fusion@fmwhost bin]$ export OIM_ORACLE_HOME=/app/fusion/fmw/iam
[fusion@fmwhost bin]$ export PATH=$JAVA_HOME/bin:$PATH
[fusion@fmwhost bin]$ ./patch_weblogic.sh
It takes long time so be patient till it completes.
Launch OIM again to make sure you can login successfully and enter security answers successfully.
Now Launch SOA using following URL
http://<hostname>:8001/soa-infra
Login with weblogic username and password when prompted.
Prepare OIM to reconcile from ID store
[fusion@fmwhost bin]$ cd /app/fusion/fmw/iam/server/ldap_config_util/
[fusion@fmwhost ldap_config_util]$ cp -pr ldapconfig.props ldapconfig.props_orig
[fusion@fmwhost ldap_config_util]$ vi ldapconfig.props
[fusion@fmwhost ldap_config_util]$ cat ldapconfig.props
# OIMServer Type, Valid values can be WLS, JBOSS, WAS
# e.g.: OIMServerType=WLS
OIMServerType=WLS
# OIMAdmin User Login
# e.g.: OIMAdminUser=xelsysadm
OIMAdminUser=xelsysadm
# Skip Validation of OVD Schema
# e.g.: SkipOVDValidation=true|false, Default false
SkipOVDValidation=true
# OIM Provider URL
# e.g.: OIMProviderURL=t3://localhost:8003
OIMProviderURL=t3://fmwhost.paramlabs.com:14000
# OID URL
# e.g.: OIDURL=ldap://localhost:389
OIDURL=ldap://fmwhost.paramlabs.com:3060
# Admin user name to connect to OID
# e.g.: OIDAdminUsername=cn=orcladmin
OIDAdminUsername=cn=oimLDAP,cn=systemids,dc=paramlabs,dc=com
# Search base
# e.g.: OIDSearchBase=dc=company,dc=com
OIDSearchBase=dc=paramlabs,dc=com
# Name of the user container
# e.g.: UserContainerName=cn=Users
UserContainerName=cn=Users
# Name of the role container
# e.g.: RoleContainerName=cn=Roles
RoleContainerName=cn=Groups
# Name of the reservation container
# e.g.: ReservationContainerName=cn=Reserve
ReservationContainerName=cn=Reserve
[fusion@fmwhost ldap_config_util]$ export JAVA_HOME=/app/fusion/jdk6
[fusion@fmwhost ldap_config_util]$ export WL_HOME=/app/fusion/fmw/wlserver_10.3
Run following command
[fusion@fmwhost ldap_config_util]$ ./LDAPConfigPostSetup.sh /app/fusion/fmw/iam/server/ldap_config_util
[Enter OIM admin password:]
Authenticated with OIM Admin…..
Obtained Scheduler Service…..
Successfully Enabled Changelog based Reconciliation schedule jobs.
Successfully Updated Changelog based Reconciliation schedule jobs with last change number : <number>
Login to Enterprise Manager to make sure every required component is up.
Configure HTTP for OIM and SOA
Append following entries in /app/fusion/config/instances/web1/config/OHS/web1/moduleconf/admin.conf
################################################
## Entries Required by Oracle Identity Manager
################################################
# oim admin console(idmshell based)
<Location /admin>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# oim self and advanced admin webapp consoles(canonic webapp)
<Location /oim>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# xlWebApp – Legacy 9.x webapp (struts based)
<Location /xlWebApp>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# Nexaweb WebApp – used for workflow designer and DM
<Location /Nexaweb>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# used for FA Callback service.
<Location /callbackResponseService>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# spml xsd profile
<Location /spml-xsd>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# role-sod profile
<Location /role-sod>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
<Location /HTTPClnt>
SetHandler weblogic-handler
#WLProxySSL ON
#WLProxySSLPassThrough ON
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
################################################
## Entries Required by Oracle Identity Manager and SOA
################################################
# SOA Infrastructure
<Location /soa-infra>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:8001
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# UMS Email Support
<Location /ucs>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:8001
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# SOA Callback webservice for SOD – Provide the SOA Managed Server Ports
<Location /sodcheck>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:8001
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
<Location /workflowservice>
SetHandler weblogic-handler
WLCookieName oimjsessionid
WebLogicCluster fmwhost.paramlabs.com:14000
WLLogFile “${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log”
</Location>
A copy of my admin.conf file can be found here. This is just sample admin.conf, you must make changes to host name and ports accordingly.
Restart Web Server.
[fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl stopallopmnctl stopall: stopping opmn and all managed processes…
[fusion@fmwhost ldap_config_util]$ /app/fusion/config/instances/web1/bin/opmnctl startall
opmnctl startall: starting opmn and all managed processes…
Change Host assertion in Weblogic
Click Save and Activate Changes.
Verify OIM and SOA using HTTP port
http://<hostname>:7777/soa-infra
Enabling Oracle Identity Manager to Connect to SOA Using the Administrative Users Provisioned in LDAP
Login to EM console
Select Farm_IDMDomain –> Identity and Access–> OIM –> oim(11.1.1.3.0).
Select MBean Browser from the menu or right click to select it.
Select Application defined Mbeans –> oracle.iam –> Server: wls_oim1 –> Application: oim –> XML Config -> Config –> XMLConfig.SOAConfig –>SOAConfig
Change the username attribute to weblogic_idm
select Weblogic Domain –> IDMDomain from the Navigator.
Select Security –> Credentials from the down menu
Expand the key oim.
Click SOAAdminPassword.
Click Edit.
Change the username to weblogic_idm and set the password to the accounts password.
Click OK.
Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm, to be visible in the OIM Console. Follow these steps:
a. Log in to Oracle Identity Manager at:
<hosname>:7777/oim as the user xelsysadm
b. If prompted, set up challenge questions. This happens on your first login to Oracle Identity Manager.
c. Click Advanced.
d. Click the System Management tab.
e. Click the arrow for the Search Scheduled Jobs to list all the schedulers.
f. Select LDAP User Create and Update Full Reconciliation.
g. Click Run Now to run the job.
h. Go to the Administration page and perform a search to verify that the user is visible in the Oracle Identity Manager console.
Now click on Administration
Click Advanced Search –> Roles
Search for the Administrators role. Click the Administrators Role.
Click Open.
Click the Members tab. Click Assign.
Type weblogic_idm in the Search box and Click ->.
Select weblogic_idm from the list of available users.
Click > to move to Selected Users.
Click Save.
1. Log in to the weblogic console using at:
http://<hostname>:7777/console
2. Click Lock and Edit.
3. Expand the Environment Node in the Domain Structure window.
4. Click Servers to open the Summary of Servers Page.
5. Click on a server to show the server properties page.
6. Click the Server Start tab.
7. Add the following values to the Arguments field:
-Djps.subject.cache.key=5
-Djps.subject.cache.ttl=600000.
8. Click Save.
9. Repeat for each of the managed servers.
10. Click Activate Changes.
Restart Admin server and all managed servers
Next: Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
Installing Oracle Fusion Applications – steps
- Install Fusion Applications Provisioning Framework
- Install Oracle 11g Database (Applications Transactional Database)
- Run Oracle Fusion Applications Repository Creation Utility (Applications RCU)
- Create another database for Oracle Identity Management Infrastructure (optional)
- Run Repository Creation Utility (RCU) for Oracle Identity Management components
- Install Oracle Identity and Access Management Components
- Apply mandatory Patches
- Configure Oracle Identity and Access Management components
- Integrate Oracle Identity Manager (OIM) and Oracle Access Manager (OAM)
- Install provisioning framework on Node 2
- Create new Response File
- Provision an Applications Environment (Editing in progress, this link currently points to 11.1.5 counterpart)
I am working on installing the OIM Suite, as this is a Test VM installed on my Local Laptop, am skipping the WebTier and Webgate.
My Environment Consists of the following:
Database Server:
Created the respective Schemas using the RCU for IDM, SOA, OBIEE,
Application Server:
Installed Oracle Enterprise Linux 6.6
Installed and configured jdk1.6.0_45
Installed and configured Weblogic 10.3.6 and applied patch p18040640_1036_Generic.zip
Installed IDM 11.1.1.7.0 and applied patch p18686783_111170_Linux-x86-64.zip
Installed IAM 11.1.1.7.0
Installed SOA Suite 11.1.1.7.0
Created Domain for OIM,OAM,SOA
Extend the Domain to include Oracle Internet Directory: Issues while configuring the EM Agent
Here’s the snippet from the Out File from the /inventory/logs/install…..out:
Error creating ASComponent EMAGENT.
Cause:
An internal operation has failed: Failed to instantiate component properties.
Action:
See logs for more details.
at oracle.as.provisioning.util.ConfigException.createConfigException(ConfigException.java:123)
at oracle.as.provisioning.fmwadmin.ASInstanceProv._createComponent(ASInstanceProv.java:414)
at oracle.as.provisioning.fmwadmin.ASInstanceProv.createComponent(ASInstanceProv.java:358)
at oracle.as.provisioning.fmwadmin.ASInstanceProv.createInstanceAndComponents(ASInstanceProv.java:136)
at oracle.as.provisioning.engine.WorkFlowExecutor._createASInstancesAndComponents(WorkFlowExecutor.java:535)
at oracle.as.provisioning.engine.WorkFlowExecutor.executeWLSWorkFlow(WorkFlowExecutor.java:439)
at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:866)
at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:820)
at oracle.as.idm.install.config.BootstrapConfigManager.doExecute(BootstrapConfigManager.java:1636)
at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:375)
at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:88)
at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:105)
at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:96)
at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:186)
at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:86)
at java.lang.Thread.run(Thread.java:662)
Caused by: oracle.as.config.ProvisionException: Failed to instantiate component properties.
at oracle.as.config.impl.CommonUtil.wrapAsProvisionException(CommonUtil.java:30)
at oracle.as.config.impl.InstallerProvisionFactory.getOracleASComponentProperties(InstallerProvisionFactory.java:160)
at oracle.as.config.ConfigFactory.getOracleASComponentProperties(ConfigFactory.java:128)
at oracle.as.provisioning.fmwadmin.ASComponentProv.createComponent(ASComponentProv.java:106)
at oracle.as.provisioning.fmwadmin.ASComponentProv.createComponent(ASComponentProv.java:73)
at oracle.as.provisioning.fmwadmin.ASInstanceProv._createComponent(ASInstanceProv.java:401)
… 16 more
Caused by: org.kohsuke.args4j.CmdLineException: “null” is not a valid value for “-EMD_PORT”
at org.kohsuke.args4j.spi.OneArgumentOptionHandler.parseArguments(OneArgumentOptionHandler.java:32)
at org.kohsuke.args4j.CmdLineParser.parseArgument(CmdLineParser.java:423)
at oracle.as.config.provisioner.argument.parser.ArgumentParser.parseStrict(ArgumentParser.java:298)
I have been trying to configure this from past 3-4 days and have been failing, hope someone can help!
Please let me know if anymore details needed.
Thanks in advance.
Regards,
Vineet
Hello guys,
I am unable to sign in my oamconsole
the server is running fine without any error in the logs.
when i enter the username and password it does not show any movement.
it does not even reply to a wrong password or username input.
Please help me out as i am unaware of any solution all over the internet
Hi,
Tushar,
The OIM is not starting on Fusion_IDMDomain
Name: oim(11.1.1.3.0) Status: Down Target: WLS_OIM1
Here is the error msg I am getting.
Please advise:
Invoking Start Up operation for application oim on target WLS_OIM1.
[Deployer:149193]Operation ‘start’ on application ‘oim [Version=11.1.1.3.0]’ has failed on ‘WLS_OIM1’
[Deployer:149034]An exception occurred for task [Deployer:149026]start application oim [Version=11.1.1.3.0] on WLS_OIM1.: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=OIMSchemaPassword read).
Operation Start Up on target oim Failed. Please see error logs for details.
Hi Tushar,
I am facing very strange issue, dont know if it is normal or not.
The wizard hangs completely during the step 7 of 11 in the “extend the Domain to include Oracle Internet Directory” process. I had provided right details in the required fields.
It hanged for almost 30 minutes. I tried several times. Glad if you can provide any feedback.
Hi Tushar,
We are working on the OIM 11g Release R2(11.1.2.2.0). When ever i am trying to create form from from designer i am getting the below error.
java.lang.String cannot bd cast to oracle.iam.ui.formservice.model.FormCreateResult
ADF_FACES-60097:For more informatiom, please see the servers error log for an entry begning with:ADF_FACES-60096:Server Exception during PPER, #3
Can you please let me know do we need to apply any patch for this error.
Thanks.
Hi Prakash,
Even we are facing the same issue.. Can you please let me know what you have done to rectify this.
Thanks,
Kireet.
Guys,
we’re facing also the “java.lang.String cannot be cast to oracle.iam.ui.formservice.model.FormCreateResult” error.
Did you come up with a solution?
Thank you,
Angelos
The same issue here. Any suggestion how to solve it?
It is a bug, see Doc ID 1922978.1 on support.oracle.com
Hi Tushar,
Thanks for your blog. I have some quries please if possible reply me.
1) Instead of FA_ i gave FAAPP_ schema creation of RCU
is this going to impact ?
2) Atfer i Completed OIM congiuration as per Oracle DOC ID 1328471.1
i completed workaround.
In Browser when i hit Enter to OIM link , link is changing & no login page
http://hostname:14000/oim
http://www.hostname.com:14000/oim
please advice
Hello,
Till 11.1.6 release of Fusion Apps, it was ok to keep any prefix. In fact they suggested to keep EDG_ but we had selected FA_. From 11.1.7 release they have made it mandatory to keep FA_ but this is in case of 11.1.7. It has not given any issues in 11.1.6 if we changed it.
Regarding OIM, I need to see which note you followed but can you please tell what is the behavior if you open OIM using web load balancer port instead of OIM server port.
Regards
Tushar
HI ,tushar
How to Restart OAM in this article (the action above title“Configure Oracle Identity Manager (OIM) and Oracle SOA Suite”)?
thank you very much
BR,
Morpheus
The SOA domain wont bootup with message invalid credentials on adminserver…
Dear all,
We have a lot of comments pending this week. I will reply to all questions one by one over the weekend and next week.
Thanks
Tushar
Hi,
My host name is fusion with IP 192.168.59.101 and same placed in etc/hosts.
There is no domain gien in host entry like oracle.com.
Duing Oracle identity management installation setup – Step 8 of 11.
I gave Realm as dc=fusion
Created Policystore.props as below:
LICYSTORE_HOST: fusion — also tried giving 192.168.59.101
POLICYSTORE_PORT: 3060
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc-fusion — also tried giving dc=localhost,dc=localdomain
POLICYSTORE_CONTAINER: cn=idm_jpsroot
Now I am not able to prepare policy store:
./idmConfigTool.sh -configPolicyStore input_file=policystore.props
Error:
Enter Policy Store Bind DN password :
Host/Port details missing in the Config file
Please help..
Thanks,
RamPrasad
Hi, Thanks for the great note, i followed the steps mentioned in the note but i got this error oracle.iam.ldapsync.exception.ProcessLDAPReconDataException: An error occurred as there is no result or null returned from LDAP. Check the log files.
I enabled trace and found the following error in WLS_OIM1-diagnostic.log
[2013-08-21T14:22:11.802+03:00] [WLS_OIM1] [ERROR] [IAM-0042008] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-4] [userId: oiminternal] [ecid: 0000K2W^fp8ECS05Nzg8ye1I5A1b000002,0] [APP: oim#11.1.1.3.0] An error occurred while searching the entity in LDAP, and the corresponding error is – {0}[[
javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
LDAP Error 32 : No Such Object [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object]
at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:439)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1101)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.search(LDAPDataProvider.java:1217)
at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.returnEntityType(LDAPRoleMembershipReconTask.java:502)
at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.createRoleMembershipReconciliationEvent(LDAPRoleMembershipReconTask.java:319)
at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.processResult(LDAPRoleMembershipReconTask.java:174)
at oracle.iam.ldapsync.scheduletasks.membership.LDAPRoleMembershipReconTask.execute(LDAPRoleMembershipReconTask.java:109)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:174)
at oracle.ods.virtualization.service.DefaultVirtualizationSession.search(DefaultVirtualizationSession.java:191)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:429)
… 15 more
and in WLS_OIM1.out:
Hi, Tushar,
Appreciate if you could comment on the following Issue…… Thanks!
While configuring domain for IDM 11.1.1.6.0, I am facing this issue during
the configuration progress druing the run of $ORACLE_HOMR/binconfig.sh
geting this Bootstraps Domain configuration Failed. Error
Iam trying to Configure OID Domain after Installing IDM 11.1.1.6
software. But the config.sh wizard is getting failed at the Domain
creation.
The steps that i ‘ve followed are:
created 11.2.0.3 database on database server and populated the metadata w/RCU
Installed sun jdk1.6 on the server
Installed Weblogic 10.3.6 on server
Installed IDM 11.1.1.6 Without creating & configuring OID domain on server
run config.sh under $ORACLE_HOME/bin, but installer was stuck in the
“create domain” step, and the below error message could be observed in
the installer’s log:
2013-07-04T08:40:42.815+05:30] [as] [ERROR] [] [oracle.as.install.engine.modules.presentation] [tid: 11] [ecid: 0000Jybe2o61zWWzLwePOA1HpETX000002,0] Io exception: Connection refused(DESCRIPTION=(TMP=)(VSNNUM=186647296)(ERR=12514)(ERROR_STACK=(ERROR=(CODE=12514)(EMFI=4))))[[
java.sql.SQLException: Io exception: Connection refused(DESCRIPTION=(TMP=)(VSNNUM=186647296)(ERR=12514)(ERROR_STACK=(ERROR=(CODE=12514)(EMFI=4))))
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:231)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:345)
And
progress in calculate progress2
java.lang.NullPointerExceptionat oracle.as.install.engine.modules.util.fileutils.INIFileReaderUtilities.parseFile(INIFileReaderUtilities.java:185)
at oracle.as.install.engine.modules.util.fileutils.INIFileReaderUtilities.(INIFileReaderUtilities.java:86)
at oracle.as.install.engine.modules.util.fileutils.INIFileReaderUtilities.(INIFileReaderUtilities.java:99)
at oracle.as.idm.install.config.BootstrapConfigManager.doExecute(BootstrapConfigManager.java:850)
at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:371)
Please suggest what could be the Issue,
Thanks
Priya
Hello Gurus,
I follow the same steps are mention in this blog, when I Ran the following command
./idmConfigTool.sh -preConfigIDStore input_file=idstore.props
I got error saying “Host/Port details missing in the Config file”
Can you please let me know what can be the issue?
Thanks
Raj
Dear Raj,
The error is very clear. You need to check the same in your idstore.props. If you cannot find then please post your idstore.props file and I can let you know where the details are missing.
Thanks
Tushar
Hi Raj
Please keep the code together without blank lines in file idstore.props
BR,
Morpheus
Dear all,
I have updated the post with missing oam alias entries in admin.conf files. A sample admin.conf file can be found here. Please note that you must change the hostnames and ports accordingly.
Regards
Tushar
Hi ,
This is great post i simply followed this , not sure whether you have covered or not i see some OAM related directive are missing from admin.conf in this post , after adding below i could access oam without any issues else you get 404 error after you installing webgate and try accessing any url
SetHandler weblogic-handler
WebLogicHost infaesad81.cloud.opsource.net
WeblogicPort 14100
You are so right !! I am so sorry for missing these entries in this post. They are already mentioned in 11.1.5 post but seems I missed to mention these entries in 11.1.6 posts. There are multiple entries in admin.conf which seem missing in this post. I will add all of them right away.
Thanks a lot for bringing it to my notice ! All those who faced 404 error due to this, please correct the admin.conf file
– Tushar
Thank you for the great site. I really enjoy it. I am stuck on “Configure OAM”. I created config_oam1.props and am running it. It craps out on
Confirm User Password for IDSTORE_PWD_OAMADMINUSER:
oracle.idm.automation.exception.ExecutionFailedException: Error in adding password policy for System ID container
at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.prepareLDAPUserDN(OAM11gIntegrationHandler.java:425)
at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.configOAM11gIdStore(OAM11gIntegrationHandler.java:238)
at oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler.execute(OAM11gIntegrationHandler.java:888)
at oracle.idm.automation.AutomationTool.configOAM(AutomationTool.java:708)
at oracle.idm.automation.AutomationTool.parseCmdLine(AutomationTool.java:227)
at oracle.idm.automation.AutomationTool.main(AutomationTool.java:141)
There were errors found. Details have been logged to automation.log
I went in to the OID and changed the pw. Still getting this error. Any ideas?
Thanks again!
Very soon this web site will be famous among all
blog viewers, due to it’s nice content
Hi,
Can anyone help me to solve this problem?
I’m getting the following error message in automation.log when i run
the following command to configure OAM
./idmConfigTools.sh -configOAM input_file=config_oam1.props
SEVERE: Error while configuring User ID Store {1}
Serever Instances in oamconsole showing OAMSERVER1 insted of WLS_OAM1 and the primary server list also showing AMSERVER1 and the Host port 3005.
It’s look like oam-config.xml not updated when i run the automation tools.
WLS_OAM1,WLS_ODS1,WLS_OIM1 and WLS_SOA1 is up & running.
I can telnet to all the ports, but not proxy port 5575
plsease advise
rgds/Kumar
me too
any solution
Pls check your input for IDSTORE parameters in config_oam1.props special hostname and domain.
Check also the hosts file to be correct. I have had the same issue here, after correcting the hosts the configuration worked
i can’t find http://fmwhost.paramlabs.com:7777/oamconsole/
or ://fmwhost.paramlabs.com:3060/oamconsole/
it give me error
The requested URL /oamconsole/ was not found.
Why
First of all 3060 is not a web port, it is for OID. Secondly in order to 7777/oamconsole to work you must have added the alias /oamconsole in admin.conf file as mentioned in the post.
If you are finding it difficult to prepare IDM infrastructure for Fusion apps, you can get a readymade VM for this using the link at the top
You must append oamconsole host,port info in admin.conf file.
Rgds/Kumar
Hi Kumar,
Could you provide the details of oamconsole host,port info in admin.conf file.
Regards,
Ram
Problem has been solved after adding in admin.conf:
# OAMCONSOLE
SetHandler weblogic-handler
WebLogicHost xxapps
WeblogicPort 7001
Regards,
Ram
My bad guys, yes indeed some admin.conf entries were missing in this post. They were posted in 11.1.5 post but I missed to write that paragraph in this post. I will correct this and also put sample admin.conf as well to verify. Please accept my apologies.
Tushar
Hi
In above screenshots I see versions of some components less then 11.1.1.6 (selecting products for creating Oracle identity mgt doamin) like Oracle Identity Manager 11.1.1.3.0 [iam], Oracle SOA Suite – 11.1.1.0 [soa].
Is it ok or we need to upgrade these components to 11.1.1.6?
Regards,
Sandesh