Installation & Configuration of Oracle OID,OIM,OAM.

Lets start to learn and understand some components of Oracle Fusion Middleware. I have tried to lay down the steps required for installing & configuring Oracle Identity & Access Management Suite 11gr2.

I will try to make it as simple as I can however if there is any clarification you can email me at nazim.sk@gmail.com OR nazim.shaikh@onlinedbasupport.com

Below is the list of products required for IDM Setup.
1) Oracle DB
2) RCU
3) Weblogic
4) JDK
5) SOA Suite
6) OID/IDM
7) OAM
8) WebTier OHS
9) WebGate
10) OIM Connectors  — Optional can be downloaded later
11) Oracle Unified Directory — Optional can be downloaded later

Operating System – RHEL 5.8 x86-64 with 16 GB RAM and minimum i3 processor.

Download softwares from the link given below.

Oracle Database 11.2.0.1 –

http://download.oracle.com/otn/linux/oracle11g/R2/linux.x64_11gR2_database_1of2.zip
http://download.oracle.com/otn/linux/oracle11g/R2/linux.x64_11gR2_database_2of2.zip

SOA Suite 11.1.1.7.0 –

http://download.oracle.com/otn/nt/middleware/11g/111170/ofm_soa_generic_11.1.1.7.0_disk1_1of2.zip
http://download.oracle.com/otn/nt/middleware/11g/111170/ofm_soa_generic_11.1.1.7.0_disk1_2of2.zip

Oracle Identity Manager Connectors 11.1.2.2.0 –

https://edelivery.oracle.com/EPD/Download/process_download/V46670-01.zip?ile_id=72771919&aru=17914537&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V46670-01.zip

Oracle Unified Directory 11g 11.1.2.2.0 –

https://edelivery.oracle.com/EPD/Download/process_download/V43020-01.zip?ile_id=67310625&aru=17140821&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V43020-01.zip

Oracle Identity and Access Management 11g 11.1.2.2.0 –

https://edelivery.oracle.com/EPD/Download/process_download/V43017-01_1of2.zip?file_id=67310483&aru=17140818&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V43017-01_1of2.zip
https://edelivery.oracle.com/EPD/Download/process_download/V43017-01_2of2.zip?file_id=67310484&aru=17140818&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V43017-01_2of2.zip

Oracle Fusion Middleware Repository Creation Utility 11g 11.1.2.2.0 for Linux x86-64 –

https://edelivery.oracle.com/EPD/Download/process_download/V43024-01.zip?file_id=67310644&aru=17140825&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V43024-01.zip

Oracle Identity Management 11g Patch Set 6 (11.1.1.7.0) for Linux x86-64 –

https://edelivery.oracle.com/EPD/Download/process_download/V37386-01.zip?file_id=59444804&aru=16090986&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V37386-01.zip

Oracle Fusion Middleware Web Tier Utilities 11g Patch Set 6 (11.1.1.7.0) for Linux x86-64 –

https://edelivery.oracle.com/EPD/Download/process_download/V37384-01.zip?file_id=59444765&aru=16090978&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V37384-01.zip

Oracle WebLogic Server 11gR1 (10.3.6) Generic and Coherence –

https://edelivery.oracle.com/EPD/Download/process_download/V29856-01.zip?file_id=46448789&aru=14401412&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V29856-01.zip

Oracle Access Manager OHS 11g WebGates 11.1.2.2.0 –

https://edelivery.oracle.com/EPD/Download/process_download/V46372-01.zip?file_id=72386375&aru=17870946&userid=5865190&egroup_aru_number=15364661&country_id=634&patch_file=V46372-01.zip

———————————————————————————————————————

Lets start with Installing Oracle Database – 11.2.0.1

1. Unzip the software to any location that has user privileges to run the setup (su – oracle)
2. Start the Installer (runInstaller)
3. Choose 1st option . Create and configure database. You can also choose Install database software only and later create a database using dbca.
4. Choose System Class – Desktop / Server depending on your configuration. We chose Desktop
5. Typical Install
6. Provide Oracle base location,datafiles location,database name and password. Our DB Name is IDMDB
7. Choose Characterset as UTF8 – Mandatory for IDM Setup

Post installation steps :

1. Run root.sh as “root” user
2. Prepare the database environment file
   export ORACLE_BASE=/u01/oracle
   export ORACLE_HOME=/u01/oracle/product/11.2.0.1
   export PATH=$PATH:$ORACLE_HOME/bin
   export ORACLE_SID=idmdb
   export TNS_ADMIN=$ORACLE_HOME/network/admin
3. Tune the below parameters
   ALTER system SET processes=1000 scope=spfile;
   ALTER system SET sessions=1000 scope=spfile;
   ALTER system SET open_cursors=1000 scope=spfile;

Execute RCU – 11.1.2.2 to create repository for IDM,OIM and OAM.

1. su – oraidm
2. Unzip rcu software
3. Run rcu setup (/u01/rcuHome/bin)  ./rcu
4. Select create option
5. Provide database credentials to establish a connection with the database server.
6. From the selection component page, expand identity management and select OID,OIM, OAM. This will auto select other options as well (DEV_MDS,DEV_SOAINFRA,DEV_ORASDPM,DEV_IAU,DEV_OPSS)
7. Set a password which will be used by these schemas. You can either provide separate passwords or same password to manage all.
8. This will create the the schemas and corresponding tablespaces in the database.

Install Weblogic – 10.3.6

1. Unzip custom JDK and set JAVA HOME.(File : jdk-6u45-linux-x64.bin)
   export JAVA_HOME=/u01/jdk1.6.0_45
   export PATH=$JAVA_HOME/bin:$PATH
2. Install weblogic using custom jdk 64 bit
3. java -jar wls1036_generic.jar OR java -jar d64 wls1036.jar (Linux) OR java -jar -D64 wls1036.jar (Windows)
4. Set middleware home directory – /u01/weblogic/fmw – You can set this to any as long as user has a permission for read,write.
5. Select I wish to remain uninformed about oracle updates and click on Yes-you may have to do this multiple times.
6. Select Typical Install
7. Installation will create following directories (/u01/weblogic/fmw/wlserver_10.3 and /u01/weblogic/fmw/coherence_3.7)
8. Complete the installation

Install IDM – 11.1.1.7.0

1. su – oraidm
2. Unzip IDM software to any temp location
3. Execute runInstaller (Disk1/runInstaller)
4. Skip software updates
5. Select ‘Install Software – Do Not Configure ‘
6. Oracle Middleware Home – /u01/weblogic/fmw
7. Oracle Home – Oracle_IDM1
8. Click Install

Install OAM – 11.1.2.2.0

1. su – oraidm
2. Unzip OAM software to any temp location
3. Execute runInstaller (Disk1/runInstaller), specify JRE location (/u01/jdk1.6.0_45)
4. Skip software updates
5. Oracle Middleware Home – /u01/weblogic/fmw
6. Oracle Home – Oracle_IAM1
7. Click Install

Install WebTier – 11.1.1.7.0

1. su – oraidm
2. Unzip WebTier OHS software to any temp location
3. Execute runInstaller (Disk1/runInstaller)
4. Skip software updates
5. Select ‘Install Software – Do Not Configure ‘
6. Oracle Middleware Home – /u01/weblogic/fmw
7. Oracle Home – Oracle_WT1
8. Click Install

Install WebGate – 11.1.2.2.0

1. su – oraidm
2. Unzip OAM WebGate software to any temp location
3. Execute runInstaller (Disk1/runInstaller), specify JRE location (/u01/jdk1.6.0_45)
4. Skip software updates
5. Oracle Middleware Home – /u01/weblogic/fmw
6. Oracle Home – Oracle_OAMWebGate1
7. Click Install

Install SOA Suite – 11.1.1.7.0

1. su – oraidm
2. Unzip SOA Suite software to any temp location
3. Execute runInstaller (Disk1/runInstaller), specify JRE location (/u01/jdk1.6.0_45)
4. Skip software updates
5. Oracle Middleware Home – /u01/weblogic/fmw
6. Oracle Home – Oracle_SOA1
7. Select Weblogic Server as the option
8. Click Install

Apply Interim patches on SOA Suite

1. Go to /u01/OAM_Soft/Disk1….OIM_11.1.2.2_SOAPS6_PREREQS.zip
2. mkdir -p /u01/soa_patches
3. unzip the patch from step 1 to the directory created in step 2
   [oraidm@egtapp02 soa_patches]$ unzip /u01/OAM_Soft/Disk1/OIM_11.1.2.2_SOAPS6_PREREQS.zip
   Archive:  /u01/OAM_Soft/Disk1/OIM_11.1.2.2_SOAPS6_PREREQS.zip
   creating: SOAPATCH/
   extracting: SOAPATCH/17418151.zip
   extracting: SOAPATCH/17988119.zip
   extracting: SOAPATCH/16170778.zip
   extracting: SOAPATCH/17610621.zip
   inflating: SOAPATCH/README.txt
   extracting: SOAPATCH/16024267.zip
   extracting: SOAPATCH/17538745.zip
   extracting: SOAPATCH/18011726.zip
   extracting: SOAPATCH/18011109.zip
   extracting: SOAPATCH/16535743.zip
   extracting: SOAPATCH/16899697.zip
   extracting: SOAPATCH/14126097.zip
4. export ORACLE_HOME=/u01/weblogic/fmw/Oracle_SOA1
5. export PATH=$ORACLE_HOME/OPatch:$PATH
6. Go to the patch directory and apply the patch
   [oraidm@egtapp02 SOAPATCH]$ pwd
   /u01/soa_patches/SOAPATCH
   [oraidm@egtapp02 SOAPATCH]$ ls
   14126097.zip  16170778.zip  16899697.zip  17538745.zip  17988119.zip  18011726.zip
   16024267.zip  16535743.zip  17418151.zip  17610621.zip  18011109.zip  README.txt
7. Apply the patch
   opatch napply
8. Verify the patch
   <code>
   [oraidm@egtapp02 SOAPATCH]$ opatch lsinventory
   Oracle Interim Patch Installer version 11.1.0.9.9
   Copyright (c) 2012, Oracle Corporation.  All rights reserved.
   Oracle Home       : /u01/weblogic/fmw/Oracle_SOA1
   Central Inventory : /u01/oraInventory
   from           : /u01/weblogic/fmw/Oracle_SOA1/oraInst.loc
   OPatch version    : 11.1.0.9.9
   OUI version       : 11.1.0.9.0
   Log file location : /u01/weblogic/fmw/Oracle_SOA1/cfgtoollogs/opatch/opatch2014-11-18_13-10-04PM_1.log
   OPatch detects the Middleware Home as "/u01/weblogic/fmw"Lsinventory Output file location : /u01/weblogic/fmw/Oracle_SOA1/cfgtoollogs/opatch/lsinv/lsinventory2014-11-18_13-10-04PM.txt
   --------------------------------------------------------------------------------
   Installed Top-level Products (1):Oracle SOA Suite 11g                                                 11.1.1.7.0
   There are 1 products installed in this Oracle Home.
   Interim patches (11) :Patch  18011726     : applied on Tue Nov 18 13:09:48 AST 2014
   Unique Patch ID:  17116322
   Created on 29 Dec 2013, 19:17:47 hrs PST8PDT
   Bugs fixed:
   16305694, 16104851, 13684639, 16985247, 17180084, 17005588, 16824760
   17283663, 15870065, 17460621, 16363712Patch  18011109     : applied on Tue Nov 18 13:09:08 AST 2014
   Unique Patch ID:  17115629
   Created on 28 Dec 2013, 00:40:38 hrs PST8PDT
   Bugs fixed:
   17933421, 17191931Patch  17988119     : applied on Tue Nov 18 13:09:05 AST 2014
   Unique Patch ID:  17114873
   Created on 27 Dec 2013, 08:27:36 hrs PST8PDT
   Bugs fixed:
   17988119
   Patch  17610621     : applied on Tue Nov 18 13:08:59 AST 2014
   Unique Patch ID:  16927307
   Created on 28 Oct 2013, 14:58:58 hrs PST8PDT
   Bugs fixed:
   17610621
   Patch  17538745     : applied on Tue Nov 18 13:08:57 AST 2014
   Unique Patch ID:  16974898
   Created on 13 Nov 2013, 15:34:44 hrs PST8PDT
   Bugs fixed:
   17538745
   Patch  17418151     : applied on Tue Nov 18 13:08:55 AST 2014
   Unique Patch ID:  16769215
   Created on 6 Sep 2013, 13:53:05 hrs PST8PDT
   Bugs fixed:
   17418151
   Patch  16899697     : applied on Tue Nov 18 13:08:51 AST 2014
   Unique Patch ID:  16440766
   Created on 11 Jun 2013, 17:04:24 hrs US/Pacific
   Bugs fixed:
   16899697
   Patch  16535743     : applied on Tue Nov 18 13:08:44 AST 2014
   Unique Patch ID:  16399779
   Created on 28 May 2013, 02:41:34 hrs PST8PDT
   Bugs fixed:
   16535743
   Patch  16170778     : applied on Tue Nov 18 13:08:37 AST 2014
   Unique Patch ID:  16534730
   Created on 3 Jul 2013, 11:02:06 hrs PST8PDT
   Bugs fixed:
   16170778
   Patch  16024267     : applied on Tue Nov 18 13:08:33 AST 2014
   Unique Patch ID:  17017715
   Created on 28 Nov 2013, 04:10:28 hrs PST8PDT
   Bugs fixed:
   16024267
   Patch  14126097     : applied on Tue Nov 18 13:08:28 AST 2014
   Unique Patch ID:  16260496
   Created on 18 Apr 2013, 13:32:37 hrs PST8PDT
   Bugs fixed:
   14126097
   --------------------------------------------------------------------------------
   OPatch succeeded.

Creating Domains

• Create IDM Domain

1. su – oraidm
2. Prepare IDM environment
   [oraidm@egtapp02 ~]$ cat oid.env
   export MW_HOME=/u01/weblogic/fmw
   export WL_HOME=$MW_HOME/wlserver_10.3
   export ORACLE_HOME=$MW_HOME/Oracle_IDM1
   export DOMAIN_HOME=$MW_HOME/user_projects/domains/IDMDomain
   export JAVA_HOME=/u01/jdk_soft/jdk1.6.0.45
   export ORACLE_INSTANCE=$MW_HOME/oid_ovd_instance1
   export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$ORACLE_HOME/OPatch:$PATH:
3. Go to ORACLE_HOME/bin directory and execute config.sh

Provide Instance Location and Name : You can keep any name of the instance. Since this domain will be used for OID and OVD directory we have named it oid_ovd_instance1

Create custom staticports.ini file same as below and place it under any temp location. You can change the port numbers if required or keep it same.

Directory Services have different names in different products.

OVD – uses Name Space
OID – uses Realm Name
OUD – uses Base DN
We will use OVD in this configuration and hence will use a default name space as “ovd”.

Oracle Virtual Directory is an LDAP service that provides a single, abstracted view of enterprise directory servers and databases from a variety of vendors. Oracle Virtual Directory can serve as a single source of truth in an environment with multiple data sources.

Oracle Internet Directory  is a specialized database that stores and retrieves collections of information about objects.Associated with each entry is a number of attributes, each of which may have one or more values assigned. For example, typical attributes for a person entry might include first and last names, e-mail addresses, the address of a preferred mail server, passwords or other login credentials, or a digitized portrait.

For us domain component’ “dc” becomes “ovd” and other dc is local depending on our current domain structure in the organization.
If your domain contains .com then your dc will look like “dc=ovd,dc=com”
Container “cn=orcladmin”  is the super user to manage OID and OVD.

OVD does not hold any user information instead it keeps the metadata information of the users received from different vendors(AD,Legacy Systems,OUD etc) and passes it to OID.

As we know that OVD passes the information to OID, by default this screen will have dc=[your_domain_name],dc=com/local. Our domain is = ods.local however we have given dc=oid to keep it simple to understand.

Verify the result : Login to web logic console to verify domain (Admin Server & a Managed Server) created during domain installation process
URL- http://hostname:port/console

Below screenshot shows the 2 server’s created during domain creation process.

• Admin Server – Domains include a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain
• WLS_ODS1 Server – In a domain, server instances other than the Administration Server are referred to as Managed Servers. Managed Servers host the components and associated resources that constitute an application.WLS_ODS1 server manages our directory server (ODSM).

Verify OPMN processes which will start your background processes of OID & OVD.

To start and opmn process execute the below commands

As u see in the below screen shot there are 5 processes running OVD,3 OID and 1 EM).
OVD is your virtual directory running on LDAP port 6051,6052, https : 8899
OID is an internal directory running on LDAP port 3061,3060. oidmon is the process which monitors the connections and assigns the work to these 2 oid processes (oid1) which will spawn other processes.

Creating OID/OVD connections

Connect to Directory services and check the default user and group information

Give any name to the connection, server – server where IDM is installed or hosted, port – LDAP port 3060, User – orcladmin which is the super user for OID,OVD.

Go to Data Browser TAB and chec k the dc we have created during domain creation “dc=local”,”dc=oid” which contains user and group information

Log out and create a connection for OVD, port use https port i.e 8899

Create an adapter for OID. OVD  has a capability of creating adapters for multiple systems (OID,AD,EBS Database,Legacy Systems). OIM/OAM has a limitation of connecting to one directory server only. Lets think of a scenario where we have Oracle EBS,Active Directory to be synced with each other. In this case we will have OID to connect with these 2 systems and store user information in the identity store. Suppose we have a third party application ie. Mircosoft SQL server,MY SQL,IDM DB and getting user information is a challenge through OID, so OVD here can create an adapter with these legacy systems and pass on the data to OID.

OVD is only a virtual directory server and does not hold any information, it is only a pointer to the data source where the user actually resides(DB,AD,Legacy) and passes the info to OID.

Below we will create an LDAP adapter for OID.

Click on the home page to see adapter information.

Extend the following schemas for OID,OIM and OAM required during integration processes. Extension will bring additional Attributes and Object class files in OID,OIM & OAM which are by default missing when we install these components.

Create a properties file for extending OID schema

Extend OID Schema
su – oraidm

Set the environment

Go to Oracle IAM home and run the configuration tool to extend the schema. You need to supply password for “orcladmin” user.
./idmConfigTool.sh -preConfigIDStore input_file/home/oraidm/extend_schema/extend_oid.props

Extend schema for OIM
su – oraidm

./idmConfigTool.sh -prepareIDStore mode=OIM input_file=/home/oraidm/extend_schema/extend_oim.props

Extend OAM Schema
su – oraidm

./idmConfigTool.sh -prepareIDStore mode=OAM input_file=/home/oraidm/extend_schema/extend_oam.rsp

This will create OAMADMIN user which will be a superuser for OAM.

Creating OAM,OIM and SOA server domains

su – oraidm
cd /u01/weblogic/fmw/oracle_common/common/bin
./config.sh

Configure Security Store for OAM Domain to Database – This is specific to 11gr2 Patchset 2

• Upgrade OPSS schema
  su – oraidm
  cd /u01/weblogic/fmw/oracle_common/bin
  ./psa
• 
  

Create DB security store – Mandatory step to start Admin Server for OAM,OIM & SOA server.
[oraidm@egtapp02 bin]$ ./wlst.sh /u01/weblogic/fmw/Oracle_IAM1/common/tools/configureSecurityStore.py -p /u01/weblogic/fmw/user_projects/domains/IAMDomain/ -c IAM -m create -p oracle123

Lets see the procedure to start and stop all the services involved in the process of this installation.
Follow the steps give below to successfully start services for each domain

1. Start DB and Listener
2. Start ovd and oid instance
3. Start Weblogic(IDM Domain)
4. Start Managed server(ODSM)
5. Start Admin server(IAM Domain)
6. Start Managed server (OIM,OAM,SOA)

To start Admin and managed servers create boot.properties and place them under the directories as shown below

Create boot.properties file under IDMDomain Admin and managed serve

Copy this file to other managed servers security folder.

Starting OVD/OID instance

Start Admin and managed server for IDM Domain

Check the status of the service in nohup.out file. It should show RUNNING state.

Start ODSM managed server “WLS_ODS1”

Start Admin server for IAM Domain

Check the status of weblogic service in nohup.out, it should show RUNNIN state.
Start managed server for SOA

Check the status in nohup.out, it should show RUNNIN state.
Login to the console and check the server status. We have still not started OAM/OIM managed servers. It will be started after we configure OIM.
http://egtapp02:7001/console

Now we will configure OIM server and enable LDAP sync. Enabling LDAP sync, we will integrate OIM with OVD/OID instance.

Configure OIM server

Go to Oracle_IAM home and run config.sh script

We will start OIM server now.

Check the status

Start oam managed server. In order to start OAM managed service, start node manager first.

Now start OAM managed server either from Front end or command line.

In the next section we will see how to use OIM and integrate with EBS. Later we will integrate OIM with EBS and Active Directory.