OIM Image

Wednesday, 25 July 2012

Additional notes on OAM 11g

Pre requisite: OAM 11g basic install steps should have been completed.

Oracle Access Manager (OAM) : is Access Management Product acquired from Oblix in 2005.

# OAM 11g User Interface (UI) is based on Application Development Framework (ADF)

# Three type of Web Agents are supported in OAM 11g -
a) AccessGate/WebGate from 11g
b) AccessGate/WebGate from 10g (for backward compatibility) and
c) mod_osso for Oracle 10g Single Sign-On integration

You can set up either Oracle HTTP Server WebGate or mod_OSSO as an Agent for Oracle Access Manager (OAM).

Setting up an Agent involves the following steps:

1. Installing and Configuring the Agent (WebGate or mod_osso)
2. Registering the Agent as a Partner Application
3. Restarting the WebLogic Managed Servers

The Oracle HTTP Server WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization.

Oracle HTTP Server 11g WebGate for Oracle Access Manager is not intended for use in Oracle Identity and Access Management

environments where you want to set up integration among Oracle Identity and Access Management components.

1.The following is the procedure for Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager.

A. Installing Oracle HTTP Server 11g (11.1.1.3.0, 11.1.1.4.0, or 11.1.1.5.0)-- Installation steps

Since we are on 11.1.1.5 for every component, We are now installing Oracle Http Server 11.1.1.5. You may get a question, if we can use the OHS that was installed along with OID. Thats not possible. Webgate installer needs OHS that was of webtier type(Web Tier installer is a tool).

This is a restriction imposed by the webgate installer.

We should first install Oracle Http Server 11.1.1.2 and can patch it to 11.1.1.5. Which in turn means we should use Oracle Web Tier installer 11.1.1.2 and then go to 11.1.1.5 more information on Oracle Web Tier installer tool is below

FMW 11g Web Tier Utilities encompasses products such as
* Oracle HTTP Server
* Oracle Web Cache

Oracle Process Manager and Notification Server (OPMN) is also installed by default. Together, these products are responsible for managing incoming HTTP requests, caching web messages, and sending XML and HTML back to the client.

The Oracle HTTP Server 11g is based on an Apache 2.2 version.

Once it is installed with Oracle Fusion Middleware, it is supported and maintained as the Oracle HTTP Server. For this reason, it will differ from its originating Apache version, and should not be compared for all situations.

Similar to OID, Oracle Web Tier can be installed with out a domain and can be administered from command line. But to use the ability of OEM FMW to administrate Oracle Web Tier, the web logic domain with which you are going to associate web tier components, should have been configured using both the Enterprise Manager and Java Required Files (JRF) domain templates. It is not possible to create this domain during the installation of Oracle Web Tier,

and so the domain must already exist prior to installation and configuration. Alternatively, you can install Oracle Web Tier without configuring the components, then create a WebLogic Server domain, then run the configuration tool to associate your Oracle Web Tier components with that domain.

Below is the procedure to install OHS using web tier installer, associating OHS with a existing weblogic domain.

-->Ensure that the weblogic admin server is up and running.

-->execute setup.exe inside disk1 of webtier 11.1.1.2 installation package(V18762-01.zip).

-->choose the install and configure option and follow the screens.

-->first installation happens, then followed by configuration.

-->Once you installer, similar patch the installation using 11.1.1.5 webtier patch set. (V26010-01.zip)

Once the above process completes, inside MW_HOME a folder Oracle_WT1 gets created.
Run the opmnctl status command

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin>opmnctl status
Processes in Instance: instance1
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
webcache1 | WebCache-admin | 3804 | Alive
webcache1 | WebCache | 3372 | Alive
ohs1 | OHS | 1884 | Alive
This information shows the components configured for this installation. The status
"Alive" means the component is up and running.
This opmnctl runs as a windows service. This service is similar but different from the service which
monitors oid and ovd.
C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin>opmnctl status -l
Processes in Instance: instance1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component | process-type | pid | status | uid | memused | uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
webcache1 | WebCache-admin | 3804 | Alive | 1675299287 | 17372 | 23:57:34 | http_admin:7786
webcache1 | WebCache | 3372 | Alive | 1675299286 | 34268 | 23:57:34 | http_stat:7787,http_invalidation:7788,https_listen:7789,http_listen:7785
ohs1 | OHS | 1884 | Alive | 1675299285 | 20212 | 23:58:15 | https:9999,https:4443,http:7777

Use the port numbers in this display to point your browser to the appropriate pages.

Use the format:http://system_name:port_number

Below are all the urls that should be tested.

Oracle HTTP Server http://localhost:7777
Oracle HTTP Server SSL https://localhost:4443
Oracle Web Cache http://localhost:7785
Oracle Web Cache SSL https://localhost:7789

Oracle Web Cache Administration http://localhost:7786
Oracle Web Cache Statistics http://localhost:7787

username for above two urls is ias_admin and password is what you have specified during installation process.

Note:Oracle HTTP Server comes configured with two listen ports: a non-SSL port (http) and an SSL port (https). The default, non-SSL port is 7777. If port 7777 is occupied, the next available port number, within a range of 7777-7877, is assigned. The default SSL port is 4443. Similarly, if port 4443 is occupied, the next available port number, within a range of 4443-4543, is assigned.

An additional SSL port (9999) is configured to run out-of-the-box in the admin.conf file. It is called Proxy MBean or Admin port and is used internally by Oracle HTTP Server to communicate with Fusion Middleware Control.

Note: WebCache ‘invalidation port’ 7788 expects the request to send a XML message indicating the cache contents that must be invalidated.That’s the reason any request from a browser will fail.You can find more information in the product documentation

Now here is the scenario.

During the OID,OVD installation you will get a OHS along with OID and OVD.that means, if you start the opmnctl.bat at C:\Oracle\Middleware\asinst_1\bin
you can get the OID, OVD and OHS up and running.

Which implies there are two OHS in the middleware home, one that was installed along with OID (being monitored by the opmn service located at C:\Oracle\Middleware\asinst_1\bin) and the other that was installed along with Web Tier (being monitored by the OPMN Service located at C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin)

The reason we installed a separate OHS as a part of Web Tier, even if we have a OHS that we got during the OID installation is because, for the Webgate installation as a part of AM that we are actually discussing,The OHS should be in a middleware home

containing an Oracle Home for Oracle Web tier and the directory structure is important.

As discussed earlier, in OID posts, you cannot skip the installation of OHS during OID installation, but can always skip its configuration. OHS might be packaged along with OID installer for OIF. But this is an assumption.

hmm thats okay.. finally we got two opmn processes and two OHS.
Note that these two OHS were installed using the same ports.
Even these two OPMN services are installed using the same ports.
So these two cant be started at a same time, if the situation demands...So inorder to run these two services at the same time, we should change the OPMN ports and also the OHS ports for one of the servers.

For detailed procedure of how to change the opmn ports, refer to one of my posts regarding the same.

Now you have to change the ports for one of the OHS.
I choose to change the ports for the OHS that was installed along with OID installation.

For detailed procedure of how to change the OHS ports, refer to one of my posts regarding the same.

After making the necessary changes to one of the OPMN services and OHS, both OHS and OPMN services can be started simultaneously.

B. Microsoft Visual C++ libraries installation

Ensure you follow the following pre requistes if you are on Win 2003/2008 If you are using Windows 2003 or Windows 2008 64-bit operating systems, you must install Microsoft Visual C++ 2005 libraries on the machine hosting the Oracle HTTP Server 11g Webgate for Oracle Access Manager.

These libraries are included in the Microsoft Visual C++ 2005 SP1 Redistributable Package (x64), which can be downloaded from the following website:

http://www.microsoft.com/DownLoads/details.aspx?familyid=EB4EBE2
D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en

In addition, install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update, which can be downloaded from the following website:

http://www.microsoft.com/en-in/download/details.aspx?id=26347

C.Run the Oracle HTTP Server Webgate Installer to install Oracle HTTP Server 11g Webgate for Oracle Access Manager D:\Softwares\Oracle Access Manager WebGates (11.1.1.5.0)\Disk1\install\win64\setup.exe

Provide the java path, middleware path, and proceed as directed by the installer.

Note: this java path is different from the java path of your computer, this is the path of the java created When you install Oracle HTTP Server. The jdk directory is created under the <WebTier_Home> directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer.

D. Post install steps::

-->Go to

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate

[ <Webgate_Home>\webgate\ohs\tools\deployWebGate]

On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location:

deployWebgateInstance.bat -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1

[deployWebgateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>]

Note:<Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate.

The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server.

Sample run:

Microsoft Windows [Version 5.2.3790]

C:\Documents and Settings\Administrator>cd C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate>deployWebgateInstance.bat -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1

Copying files

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\config\oblog_config_wg.xml

1 File(s) copied

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cacert.pem

1 File(s) copied

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cakey.pem

1 File(s) copied

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate>

-->Make following modifications to 'PATH' variable

<Webgate_Installation_Directory>\webgate\ohs\lib -- "C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\lib"

and

<Oracle_Home_for_Oracle_HTTP_Server>\bin --"C:\Oracle\Middleware\Oracle_WT1\bin"

to your PATH variable

-->Go to <Webgate_Home>\webgate\ohs\tools\EditHttpConf in command line

(C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>)

and execute the following command

to copy the "apache_webgate.template" from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf

EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]

The -oh <WebGate_Oracle_Home> and -o <output_file> parameters are optional.

Webgate_Instance_Directory == C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1

Webgate_Oracle_Home == C:\Oracle\Middleware\Oracle_OAMWebGate1

The <output_file> is the name of the temporary output file used by the tool, say.. Edithttpconf.log

so the command is

EditHttpConf.exe -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1 -o Edithttpconf.log

sample run::

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>EditHttpConf.exe -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1 -o Edithttpconf.log

The web server configuration file was successfully updated

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/httpd.conf has been backed up as C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/httpd.conf.ORIG

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>

note: This is the additional line added to httpd.conf

include "C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/webgate.conf"

E. Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager

--> go to C:\Program Files\Oracle\Inventory\logs

and verify the installDATE-TIME_STAMP.out log file to verify the installation.

Before you can get started with the new Oracle HTTP Server 11g Webgate agent for
Oracle Access Manager, you have to complete a few steps.

they are
@Register the New Webgate Agent
@Copy Generated Files and Artifacts to the Webgate Instance Location
@Restart the Oracle HTTP Server Instance

2. Registering the Agent as a Partner Application

A.Register the New Webgate Agent

You can register the new Webgate agent with Oracle Access Manager by using the Oracle Access Manager Administration Console.

Alternatively, you can use the RREG command-line tool to register a new Webgate agent. The tool can be run in two modes: In-Band mode, and Out-Of-Band mode.

I am using In-Band mode.

Setting Up the RREG Tool

go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\client and copy RREG.tar.gz to some folder on your personal space and extract it there. a folder 'rreg' will be created.
Inside that rreg folder, go to input directory, and copy OAM11GRequest_short.xml file

Now go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\input and paste the above file there.

Set the following environment variable in oamreg.bat script.
(available under C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin)
OAM_REG_HOME = C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg
JAVA_HOME="C:\Program Files\Java\jdk1.6.0_25"

Updating the OAM11gRequest_short.xml File

go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\client\rreg\input

Modify the following required parameters in the OAM11GRequest.xml file or in the OAM11GRequest_short.xml file:

I am using OAM11GRequest_short.xml

<serverAddress>
Specify the host and the port of the Administration Server.
<serverAddress>http://localhost:7001</serverAddress>

<agentName>
Specify any custom name for the agent.
<agentName>RREG_OAM11G</agentName>

<agentBaseUrl>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<agentBaseUrl>http://localhost:7777</agentBaseUrl>

<preferredHost>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<preferredHost>http://localhost:7777</preferredHost>

<security>
Specify the security mode, such as open, based on the Webgate installed.
<security>open</security>

Available modes are 'open' , 'cert' and 'simple'

<primaryServerList>
Specify the host and the port of Managed Server for Oracle Access Manager proxy, under a <Server> container element.
<Server>
<primaryServerList>http://localhost:14100</primaryServerList>
</Server>

After modifying the file, save the file and close.

Running the command

Ensure Admin server and managed server for oam are up and running.
<RREG_Home>\bin\oamreg.bat inband input\OAM11GRequest_short.xml

==>
C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin\oamreg.bat inband input\OAM11GRequest_short.xml

Note: Outof Band mode is used in cases where you are an end user and dont have access to the server. For details on how to complete registration, in Outof Band mode, refer to product docs.

sample run:

C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin>oamreg.bat inband input\OAM11GRequest_short.xml
OAM_REG_HOME=C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg
CLASSPATH=C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\rreg.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\RequestResponse.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\commons-codec-1.3.jar;C:\Oracle\Middleware\Oracle
_IDM1\oam\server\rreg\lib\commons-httpclient-3.1.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\commons-logging-1.1.1.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ojmisc.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\se
rver\rreg\lib\jps-internal.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-common.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\identitystore.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\identityutils.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ldapjc
lnt11.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\dms.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\fmw_audit.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ojdl.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\oraclepki.jar;C:\Oracle\Middleware\Oracle_IDM1\
oam\server\rreg\lib\osdt_cert.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_core.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_jce.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_saml.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_xmlsec.j
ar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\xmlparserv2.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-unsupported-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\nap-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\utilities.jar;
------------------------------------------------
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: inband
Filename: C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\input\OAM11GRequest_short.xml
Enter admin username:weblogic
Username: weblogic
Enter admin password:
Do you want to enter a Webgate password?(y/n):
y
Enter webgate password:
Enter webgate password again:
Password accepted. Proceeding to register..
Aug 1, 2012 5:20:51 PM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword
INFO: Passwords matched and accepted.
Do you want to import an URIs file?(y/n):
n

----------------------------------------
Request summary:
OAM11G Agent Name:RREG_OAM11G
Base URL:http://localhost:7777
URL String:RREG_HostId11G
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://localhost:7001
----------------------------------------

Inband registration process completed successfully! Output artifacts are created in the output folder.
C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin>

B.Copy Generated Files and Artifacts to the Webgate Instance Location
Regardless of the method or mode you use to register the new Webgate agent, the following files and artifacts are generated in the <RREG_Home>/output/<Agent
ID> directory:
¦ cwallet.sso
¦ ObAccessClient.xml

Our method is inbound and mode is open.

In OPEN mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:
ie.,

from

C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\output\RREG_OAM11G

to

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1\webgate\config

¦ ObAccessClient.xml
¦ cwallet.sso

3. Restarting the WebLogic Managed Servers

A.Restart the Oracle Http Server using opmn
B.Stop oam_server1
C.Stop wls admin server
D.start wls admin server
E.start oam_server1

Verification of OAM functionality and web agent's registration

A. Open a web browser and hit the non ssl http url of OHS ie.,
http://localhost:7777

B.You will be redirected to the OAM 11g SSO screen

C. Enter the weblogic user name and password and proceed

D. You will be redirected now to the OHS page

Which means, you reached the OHS page, through OAM successfully!!

Friday, 6 July 2012

OAM 10G vs OAM 11G

Thursday, 5 July 2012

OAM 11g Basic Install Steps

If detailed screen shots are needed. You can reach me at

oimimage@gmail.com

:::::OAM:::::
1)You have installed OAM along with OIM installation.
2)Now you need to extend the domain either by using weblogic quickstart or %ORACLE_IDM1%/common/bin/config.cmd
3)you must choose Oracle Access Manager with Database Policy
Store - 11.1.1.3.0 [Oracle_IDM2] as the domain configuration template on the Select
Domain Source screen in the Oracle Fusion Middleware Configuration Wizard.
4)Now start the admin server and on the admin console you will see additional managed server oam_server1
5)Start the managed server oam_server1
6)Default oam url is http://localhost:7001/oamconsole
(http://<adminserver-host>:<adminserver-port>/oamconsole)

Fundamental check for basic OAM installation and configuration
a)On the admin server, the oamconsole WebApplication is deployed under the name of oam_admin Enterprise application.
b)On the oam_server1, we have the oam_server Enterprise application.

Patches for Oracle Identity Manager 11g

Most common Oracle IAM 11g products (OID, OVD, OIM, OAM, OIF, OES) are bundled into two software installation media
and software can be downloaded from OTN or from eDelivery.

a) Oracle Identity Management (IDM) : This software media includes OID, OVD, OIF, DIP, and ODSM. latest version of this software (as of May 2012) is 11.1.1.6. All 11g version for this software are:

i) 11.1.1.6 – Full Software (also available as patchset for 11.1.1.5 and prior release).
ii) 11.1.1.5 – Patchset only
iii) 11.1.1.4 - Patchset only
iv) 11.1.1.3 - Patchset only
iv) 11.1.1.2 - Full Software

b) Oracle Identity & Access Management (IDAM) : This software includes OAM, OIM, OAAM, OES, and OIN. latest version of this software (as of May 2012) is 11.1.1.5. All 11g version for this software are:
i) 11.1.1.5 - Full Software (also available as patchset for 11.1.1.3) THIS IS ALSO CALLED AS PSI
ii) 11.1.1.3 - Full Software

Note: IDAM 11.1.1.3 is first version in 11g series and there is NO 11.1.1.4 version for IDAM

More details below

VERSION             PATCH NUMBER
11.1.1.3.1 / BP01    10104765
11.1.1.3.2 / BP02    10257660
11.1.1.3.3 / BP03    11061319
11.1.1.3.4 / BP04    11818697
11.1.1.3.5 / BP05    12409462
11.1.1.3.6 / BP06    12722062
11.1.1.3.7 / BP07    13063982
11.1.1.3.8 / BP08    13589894

VERSION PATCH NUMBER
11.1.1.5.1 / BP01     12748351
11.1.1.5.2 / BP02     13399365
11.1.1.5.3 / BP03     13704894

c) Oracle Identity Analytics (OIA) : This software includes OIA. latest version of this software (as of May 2012) is 11.1.1.5. All 11g version for this software includes
i) 11.1.1.5 - Full Software (also available as patchset for 11.1.1.3)
ii) 11.1.1.3 - Full Software

Monday, 2 July 2012

OID and OVD 11g Basic Install Steps

If detailed screen shots are needed. You can reach me at

oimimage@gmail.com

Since we installed OIM 11.1.1.5, we are now installing OID stack also on 11.1.1.5

Basic Install Steps

1)Run Rcu 11.1.1.5
2)Install ofm_idm_win_11.1.1.2.0_64_disk1_1of1
3)Install p12395123_111150_MSWIN-x86-64 (11.1.1.5 patch set)
4)Start WLS Admin server
5)Go to C:\Oracle\Middleware\Oracle_IDM2\bin and run config.bat and provide details as requested.
We have now configured OID OVD ODIP ODSM and OHS

::::::OID:::::::

1)Go to WLS admin console and you will see an additional managed server 'wls_ods1'
2)Set a new variable ORACLE_INSTANCE as 'C:\Oracle\Middleware\asinst_1'
(The location of writable files in your Oracle Identity Management installation.)

Now execute the below steps.

C:\Oracle\Middleware\asinst_1\bin>opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid | memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ohs1                             | OHS                |    2160 | Alive    | 1222706905 |    20208 | 20:19:16 | https:9999,https:4443,http:7777
ovd1                             | OVD                |    3400 | Alive    | 1222706897 |   164132 | 20:26:09 | https:8899,ldap:6501,ldaps:7501,http:8080
oid1                             | oidldapd           |    1776 | Alive    | 1222706907 |    58708 | 20:26:41 | N/A
oid1                             | oidldapd           |    1468 | Alive    | 1222706906 |    22964 | 20:26:42 | N/A
oid1                             | oidmon             |    3916 | Alive    | 1222706894 |    30024 | 20:26:42 | LDAPS:3131,LDAP:3060
EMAGENT                          | EMAGENT            |    3884 | Alive    | 1222706898 |    13348 | 20:25:46 | N/A

Status tells us that OID, OVD,OHS are up and running.

Now execute the following

C:\Oracle\Middleware\Oracle_IDM2>ldapbind -h localhost -p 3060 -D cn=orcladmin -w Passw0rd
bind successful

Many of the activities that you can perform at the command line can also be performed in Oracle Enterprise Manager Fusion Middleware Control or Oracle
Directory Services Manager. A few functions are only available from the command line.

Oracle Internet Directory supports the standard LDAP command-line utilities

ldapadd, ldapaddmt, ldapbind, ldapcompare, ldapdelete, ldapmoddn,
ldapmodify, ldapmodifymt, and ldapsearch.
For example:
ldapbind -D "cn=orcladmin" -q -h "myserver.example.com" -p 3060
ldapsearch -b "cn=subschemas

For further information. refer admin guide.

::::::OVD:::::::

Execute the following command to register Oracle Virtual Directory with the
WebLogic Administration Server. Registering with the WebLogic Administration
Server allows you to manage Oracle Virtual Directory using Fusion Middleware
Control.

Execute the following command to register OVD (Most probably you will get an exception as OVD might have been
registered with FMW control during configuration itself!)

C:\Oracle\Middleware\asinst_1>opmnctl registerinstance -adminHost localhost -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (localhost):
Username: weblogic
Password:

Registering instance
Command succeeded.

Starting the Oracle Virtual Directory instance, by executing the following
command:
$ORACLE_INSTANCE/bin/opmnctl startall

(This was already done in our case while configuration itself.as we got alive status above while verifying)

Verifying that Oracle Virtual Directory has started by executing the following
command:
$ORACLE_INSTANCE/bin/opmnctl status -l

Now execute the following

C:\Oracle\Middleware\Oracle_IDM2>ldapbind -p 6501
bind successful

:::Common pointers for OID and OVD and OHS::::

For OID or OVD to start serving, there is no necissity to have a weblogic.
You can just power on the system, start the database, start the opmn related service and thats it.

Please see below for further clarity.

I just started the database and the Oracle Process Manager (asinst_1) service.

Now proceed as below

C:\Oracle\Middleware\asinst_1\bin>opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid | memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ohs1                             | OHS                |    1824 | Alive    | 1222707158 |    20216 |   0:10:46 | https:9999,https:4443,http:7777
ovd1                             | OVD                |    2040 | Alive    | 1222707157 |   194720 |   0:10:46 | http:8080,ldap:6501,ldaps:7501,https:8899
oid1                             | oidldapd           |     N/A | Down     |        N/A |      N/A |       N/A | N/A
oid1                             | oidldapd           |     N/A | Down     |        N/A |      N/A |       N/A | N/A
oid1                             | oidmon             |     N/A | Down     |        N/A |      N/A |       N/A | N/A
EMAGENT                          | EMAGENT            |    1996 | Alive    | 1222707155 |    11500 |   0:10:46 | N/A

C:\Oracle\Middleware\asinst_1\bin>opmnctl startall
opmnctl startall: starting opmn and all managed processes...

Oracle Process Manager (asinst_1) service by itself starts all components.
We actually need not issue startall command here. I just showed for a demo here.
In a practical environment, make the opmn process a manual one (you can change in windows services--services.msc)
The reason being, database should be up and running for opmn service to start properly.
So if database and opmn service are both set to automatic, then problems may occur. so set database to automatic. ensure database is up and running, then start opmn. or you can set both to manual.

C:\Oracle\Middleware\asinst_1\bin>opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid | memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ohs1                             | OHS                |    1824 | Alive    | 1222707158 |    20216 |   0:13:50 | https:9999,https:4443,http:7777
ovd1                             | OVD                |    2040 | Alive    | 1222707157 |   194720 |   0:13:50 | http:8080,ldap:6501,ldaps:7501,https:8899
oid1                             | oidldapd           |    1308 | Alive    | 1222707162 |    51196 |   0:00:14 | N/A
oid1                             | oidldapd           |    3184 | Alive    | 1222707161 |    23020 |   0:00:15 | N/A
oid1                             | oidmon             |    3164 | Alive    | 1222707160 |    30108 |   0:00:15 | LDAPS:3131,LDAP:3060
EMAGENT                          | EMAGENT            |    1996 | Alive    | 1222707155 |    11636 |   0:13:50 | N/A

So all the processes are alive.

Now you can use a normal LDAP browser and connect to either OID or OVD.

Connect with a ldap browser tool with 3060 non ssl port for OID -- working fine
Connect with a ldap browser tool with 6501 non ssl port for OVD -- working fine.
Connect with a ldap browser tool with 3131 ssl port for OID -- wont work-- reason below

OID SSL port 3131 is configured in SSL 'No-Authentication' mode which uses anonymous ciphers for encryption and server authentication is not performed.
LDAP browser tools do not support anonymous ciphers and hence SSL handshake would fail.

Connect with a ldap browser tool with 7501 ssl port for OVD -- working fine

for us to use Enterprise Manager and Oracle Directory Services Manager to administrate OID or OVD, only then we need to
start weblogic server.

so deploying OID and OVD in WLS is only a nice to have feature. You can as well install them without WLS.

Now start admin server for enterprise manager and wls_ods1 managed server for oracle directory services manager.

-->Starting admin server and managed server for wls_ods1

logon to EM using http://localhost:7001/em/

On the left hand side you will have Farm_[Domain name] under which you have OID, OVD, OIM and DIP listed below 'Identity and Access Management'
Similarly you have ODSM under 'Application Deployments' , OHS under 'Web Tier' and many other FMW components.

Using this EM console, we can do most of admin operations of OID and OVD.. Only to utilize this advantage we have deployed OID and OVD in WLS domain.

logon to ODSM using http://localhost:7005/odsm

This is only a web tool to browse OID and OVD using explorer. But this tool has many limitations.
(refer to admin guide of OVD and OID for these limitations)

Connect to OID with ODSM with ldap ssl port(3060) -- Working fine
Connect to OID with ODSM with ldap non ssl port(3131) -- Working fine

OVD cant be connected with ODSM with ldap ports (ssl and non ssl)

Connect to OVD with ODSM with admin ssl port(8899) -- working fine
Connect to OVD with ODSM with admin non ssl port (8080) -- wont work

In addition to above, we have DSML service for OVD.

DSML stands for Directory Service Markuo Language.
DSML v2.0 is a Web Services protocol that closely mirrors LDAP.
DSMLv2 is designed to allow arbitrary Web Services clients to access Directory Services using the client's native protocols (SOAP over HTTP).
DSMLv2 allows content stored in a Directory Service to be easily accessed by standard off-the-shelf
Web Service applications and development tools, removing the need for application developers to use and understand one of the LDAP SDK libraries.

OVD includes a html based gateway that provides DSML and XSLT rendered directory reporting.

Below are the url's supporting the same.

http://localhost:8080/ --> This is Oracle Virtual Directory browser.
if prompted for username and password, provide cn=orcladmin and its password
http://localhost:8080/Browser.htm
http://localhost:8080/secure/Admin.htm
https://localhost:8899/
if prompted for username and password, provide cn=orcladmin and its password

:::::OHS::::
Below are OHS url's
http://localhost:7777/
https://localhost:4443/
Note that OHS got installed along with OID and OVD here.
Actually OID or OVD does not need a OHS.

Most probably OHS is included in OID installation pack because OIF might need that. This is just an assumption. You cannot skip this OHS installation step, but can definitely skip the configuration.

Thursday, 21 June 2012

Installation of OIM 11g on OEL (yet to complete)

OIM 11g installation on OEL 6.1
*******************************
Step1)Install Java
Ensure you have root access
Download 'jdk-6u33-linux-x64-rpm.bin' from Oracle.
create some folder under 'root's home directory... say 'java' and place this file there.
Now give permission to the jdk-6u33-linux-x64-rpm.bin file as below.
chmod +x jdk-6u26-linux-i586-rpm.bin
Now execute the following command
./jdk-6u26-linux-i586-rpm.bin
and follow the on screen instructions and you are done !!

Java gets installed at the following location by default
/usr/java/jdk1.6.0_33

Now you can delete the folder 'java' which you created to place the jdk-6u26-linux-i586-rpm.bin file.
It is just the software you used to install java at /usr/java/jdk1.6.0_33 location.

Now its time to set JAVA_HOME and to add JAVA_HOME to the PATH variable.

Go to root's home directory.[ opening any terminal and just type 'cd' will take you to root's home directory]
there will be a file '.bash_profile' which is a shell script which runs at the login each time.

edit that script and paste below lines

JAVA_HOME=/usr/java/jdk1.6.0_33
export JAVA_HOME

PATH=$PATH:$HOME/bin:$JAVA_HOME/bin:.
export PATH

save and close it.

You expect you are done.

You may run the 'java' and 'javac' commands and ensure that java is working

Now just type java -version and you will be astonished. You might see a different version of java to that of what was installed in above step.
The reason being, OEL by default comes with openjdk and now you just installed one more version in OEL.

We need to point the operating system to the latest java version that you installed.

Go to /usr/sbin

now execute the following command.

/usr/sbin/alternatives --install /usr/bin/java java /usr/java/jdk1.6.0_33/bin/java 16033

Here are the arguments:
–install tells that we’ll add a new alternative
/usr/bin/java is the default path for Java
java is the name of the software
/usr/java/jdk1.6.0_33/bin/java is the path of latest java we installed
16033 is the priority, I recommend you to give the exact version number so when you install a newer version and enter its version as priority, itâ€™ll be selected as the default one (as long as mode is auto).

You may verify the same by executing the following command
/usr/sbin/alternatives --display java
You will finally see Current `best' version is /usr/java/jdk1.6.0_33/bin/java.

now you may execute java -version command and see the below output

java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)

so now java is set to the version that you installed.

There is another way as well to know what are all the available java versions that can be made active.
just execute the command and follow the instructions provided on screen

/usr/sbin/alternatives --config java

You will see something like below.

There are 2 programs which provide 'java'.

Selection    Command
-----------------------------------------------
   1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
*+ 2           /usr/java/jdk1.6.0_33/bin/java

Enter to keep the current selection[+], or type selection number:

You may enter your selection here and you are done!!

Happy learning...

For more clarity you might want to refer to below link

http://www.gokhanatil.com/2011/07/how-to-installupdate-java-jdk-on-oracle.html

Step2: Install Database.
will post later

Wednesday, 20 June 2012

Start and Stop Schedule Task in OIM 11g

Sometimes schedulers stop working in OIM (Oracle Identity Manager) and which requires a restart of the servers. But if you restart the servers then it will impact other things in OIM as well. In that case you can Reinitialize or Stop and Start the schedulers without restarting OIM Servers.

Please follow the below steps to reinitialize or stop/start Schedulers in Oracle Identity Manager 11g:

Hit the URL http://OIM_HOST:OIM_PORT/SchedulerService-web/status

Example:

http://localhost:8003/SchedulerService-web/status

It will Ask you for Admin credentials with two button "Stop" or "Reinit" if scheduler are in "STARTED" status else it will show you only single button "Start"

Provide credentials of XELSYSADM and Start/Stop/Reninitialize the Schedulers

Difference between OIM 10g and OIM 11g

OIM 11g uses Stored Procedure for Reconciliation which results into better performance
Use of BI Publisher for Reporting
Can't use any report without BI Publisher
Batch Mode Reconciliation
Request Template for restricting the access on Resources
All the JARs and Configuration can be stored into Database, no more Copy Paste of JARs for Clustering
Integration with LDAP Synch

How to fetch Lookup values into a map in OIM 11g

   public static Map<String, String> getLookupValue(String lookupName)
    {

        tcLookupOperationsIntf lookupOpsIntf = null;
        Map<String, String> lookupValues = new HashMap<String, String>();
        tcResultSet lookupResSet = null;
        String lookupCode;
        String lookupValue;


        try
        {
           lookupOpsIntf=Platform.getService(tcLookupOperationsIntf.class);
            lookupResSet = lookupOpsIntf.getLookupValues(lookupName);
            if ((lookupResSet != null) && (lookupResSet.getRowCount() > 0))
            {
                for (int i = 0; i < lookupResSet.getRowCount(); i++)
                {
                    lookupResSet.goToRow(i);
                    lookupCode = lookupResSet.getStringValue(Constants.LKV_ENCODED);
                    lookupValue =lookupResSet.getStringValue(Constants.LKV_DECODED);

                    lookupValues.put(lookupCode, lookupValue);

                }
            }
        }

        catch (tcInvalidLookupException invalidLookupEx)
        {
         //print Exceptions
        }

        catch (Exception e)
        {
         //print Exceptions
        }
        finally
        {
            if (lookupOpsIntf != null)
            {
                lookupOpsIntf.close();
            }

        }

        return lookupValues;
    }

How to verify if a given lookup is present in OIM or not

   public static boolean lookupExists(String lookupName)
   {
        boolean lookupExists = false;
        tcLookupOperationsIntf lookupOpsIntf = null;
        tcResultSet lookupResSet = null;
        try
        {
           lookupOpsIntf=Platform.getService(tcLookupOperationsIntf.class);
           lookupResSet = lookupOpsIntf.getLookupValues(lookupName);
           lookupExists = true;
        }
        catch (tcInvalidLookupException invalidLookupEx)
        {
            //print Exception
            return false;
        }
        catch (Exception e)
        {
            //print Exception
        }
        finally
        {
            if (lookupOpsIntf != null)
            {
                lookupOpsIntf.close();
            }

        }

        return lookupExists;
    }

Friday, 15 June 2012

OIM 11g basic installation steps

If detailed screen shots are needed. You can reach me at
oimimage@gmail.com

1)Install JAVA jdk-6u25-windows-x64.
Set JAVA_HOME C:\Program Files\Java\jdk1.6.0_25
Modify Path and add JAVA_HOME/bin

2)Install Database 11.2.0.1
Ensure that the character set is selected as AL32UTF8.
Execute the following commands to increase the number of cursors and processors.

alter system set aq_tm_processes=1 scope=both;
alter system set db_cache_size=150994944 scope=both;
alter system set java_pool_size=125829120 scope=both;
alter system set shared_pool_size=183500800 scope=both;
alter system set open_cursors=1000 scope=both;
alter system set processes=500 scope=spfile;

3)Run RCU
The RCU Utitities' path should not contain any spaces.
copy msvcr71.dll from your installer directory>\rcuHome\jdk\bin to C:\Windows\SysWOW64 and C:\Windows\System32

4)Install wls1035_generic.jar using the following command.
java -D64 -Xmx1024m -jar wls1035_generic.jar
give the path of java/jdk C:\Program Files\Java\jdk1.6.0_25
create a sample domain
C:\Oracle\Middleware\user_projects\domains\oimdomain\bin
To start admin server: startWebLogic.cmd
To stop admin server: stopWebLogic.cmd

5)Install and configure SOA
give the path of java/jdk C:\Program Files\Java\jdk1.6.0_25
configure SOA using weblogic quickstart

You have to tune the environment parameters as below for proper running of SOA application.

set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -da:org.apache.xmlbeans...

set XENGINE_DIR="%SOA_ORACLE_HOME%\soa\thirdparty\edifecs\XEngine"
set PATH=%PATH%;%SOA_ORACLE_HOME%\soa\thirdparty\edifecs\XEngine\bin

set JAVA_OPTIONS=%JAVA_OPTIONS%
set DEFAULT_MEM_ARGS=-Xms1024m -Xmx2048m
set PORT_MEM_ARGS=-Xms1024m -Xmx2048m

if "%JAVA_VENDOR%" == "Oracle" goto OracleJVM
set DEFAULT_MEM_ARGS=%DEFAULT_MEM_ARGS% -XX:PermSize=512m -XX:MaxPermSize=1024m
set PORT_MEM_ARGS=%PORT_MEM_ARGS% -XX:PermSize=512m -XX:MaxPermSize=1024m

The file name is setSOADomainEnv.cmd and is located under [Domainname]/bin

To start Managed server please execute following command.

C:\Oracle\Middleware\user_projects\domains\oimdomain\bin
startManagedWeblogic.sh [Managed Server Name]

In our case admin port is 7001 and soa port is 8001.

To confirm that SOA server is up and running, atleast for IDM perspective,
the following applications should be running.

1)SOA composites deployed -- http://localhost:8001/soa-infra
2)BPM work list -- http://localhost:8001/integration/worklistapp
3)Oracle Entereprise Manager -- http://localhost:8001/em
4)Oracle SOA Composer -- http://localhost:8001/soa/composer

Set the following environment variables and ensure that Java and ant are added in 'PATH' variable.

MW_HOME=C:\Oracle\Middleware
JAVA_HOME= C:\Program Files\Java\jdk1.6.0_25
JAVA_VENDOR=Oracle
WL_HOME=%MW_HOME%\wlserver_10.3
WLS_HOME=%WL_HOME%\server
OIM_ORACLE_HOME=%MW_HOME%\Oracle_IDM1
SOA_ORACLE_HOME=%MW_HOME%\Oracle_SOA1
DOMAIN_HOME=%MW_HOME%\user_projects\domains\oimdomain
ANT_HOME=%MW_HOME%\modules\org.apache.ant_1.7.1
OIM_HOME=%OIM_ORACLE_HOME%\server
DC_HOME=%OIM_ORACLE_HOME%\designconsole
RM_HOME=%OIM_ORACLE_HOME%\remote_manager(if RM is configured)
PATH=
C:\app\Administrator\product\11.2.0\dbhome_1\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Java\jdk1.6.0_25\bin;.;%ANT_HOME%\bin

6)Install and configure OIM
Shutdown managed server for soa and weblogic admin server.
(As we will extend domain, for proper domain extension to happen, the servers should not be running).
give the path of java/jdk C:\Program Files\Java\jdk1.6.0_25
configure IDM using weblogic quickstart
(This is first config)
Now start admin server.
Go to C:\Oracle\Middleware\Oracle_IDM1\bin and execute config.bat
complete the steps as required.
and You are done!!

7)Post Install Steps

a)This is for design console to work

cd %WL_HOME%\server\lib
run the below command.
java -jar ..\..\..\modules\com.bea.core.jarbuilder_1.6.0.1.jar
This will create a file by name wlfullclient.jar at %WL_HOME%\server\lib
copy that file to C:\Oracle\Middleware\Oracle_IDM1\designconsole\ext

b)Set XL.ComplierPath to C:\Program Files\Java\jdk1.6.0_25\bin using adv admin console.
This is for connectors to get complied.

C)set XEL_HOME=C:\Oracle\Middleware\Oracle_IDM1\server
at C:\Oracle\Middleware\Oracle_IDM1\server\bin\setEnv.bat

d)
Deploy the Diagnostic Dashboard. ?Logon to the WLS Admin Console with the weblogic account.
http://localhost:7001/console/
Lock the configuration, if in production mode.
Click Deployments.
Click Install.
Select the $OIM_ORACLE_HOME/server/webapp/optional folder.
Choose the XIMDD.ear file and click Next.
Click Next again then select the OIM Managed Server as the target and click Next.
Accept the defaults and click Next then Finish.
Click to Activate the Changes.
Click the Deployment again and find XIMDD and select it.
Click to start the app servicing all requests.
http://localhost:14000/XIMDD/index.jsp is the URL for Diagnostic Dashboard.

e)Enable Exception reporting ?In the Advanced Administration Console, search for the System Properties.
Click Enable Exception Reports
Change the value to TRUE, save it and click OK.

f)
Install JDeveloper in the Middleware Home if Development work will be done.
Add the SOA Extension to JDeveloper
Configure the connection to the Admin Server in JDeveloper
File -> New -> General -> Connections -> Application Server Connection

g)
Deploy legacy OIM Web Services as may be needed. ?Logon to the WLS Admin Console with the weblogic account.
http://localhost:7001/console/
Lock the configuration, if in production mode.
Click Deployments.
Click Install.
Select the $OIM_ORACLE_HOME/server/apps
Choose spml-dsml.ear and click Next.
Click Next again then select the OIM Managed Server as the target and click Next.
Accept the defaults and click Next then Finish and then Save.
Click to Activate the Changes.
Click to list the Deployments again.
Select spml-dsml and then from the Start list, select Servicing all requests.

h)Create a log.properties file in the designconsole/config directory. (you can use server/config/log.properties as an example)

i)Sanity Checks.

http://localhost:7001/console --> Admin Console
http://localhost:7001/em --> Enterprise Manager
http://localhost:14000/oim --> Oracle Identity Manager
http://localhost:14000/SchedulerService-web
http://localhost:14000/spml-xsd/SPMLService?WSDL
http://localhost:14000/spmlws/OIMProvisioning?WSDL
http://localhost:14000/XIMDD -->Diagnostic Dashboard
http://localhost:8001/soa-infra/ -->List of composites deployed on SOA
http://localhost:8001/integration/worklistapp --> BPM Worklist
http://localhost:8001/soa/composer-->BPM Composer