oam edg training
DESCRIPTION
Oracle Access Manager, EDG, trainingTRANSCRIPT
-
Oracle Access Manager 11g R2: Advanced Administration 4 - 1
Schedule: Timing Topic
minutes Lecture
minutes Practice
minutes Total
-
Oracle Access Manager 11g R2: Advanced Administration 4 - 2
Using Action Verbs for Objectives
In the slide, use the introductory phrase After completing this lesson, you should be able to followed by a colon. Use action verbs to introduce each bulleted objective. Your choice of
action verb depends on the content of the lesson:
If the content is designed to cover facts and terms, use such verbs as identify, choose,
select, match, label, list, and so on.
If the content is designed to teach a concept, use such verbs as identify, choose, select,
indicate, match, classify, and so on.
If the content is about application of knowledge or execution of a procedure or process,
use such verbs as use, run, create, modify, construct, drop, and so on.
For detailed and high-level content, use such verbs as conclude, analyze, separate,
compare, contrast, justify, differentiate, perform, and so on.
-
Oracle Identity and Access Management has two main functions - user provisioning and
access management. The Enterprise Deployment Guide is a solution to implementing Oracle
Identity and Access Management in an enterprise and has the following features:
Main Components Deployed: Oracle Access Manager Access Manager (OAM), Oracle
Access Manager Oracle Identity Manager (OIM), Oracle Access Manager Authorization
Policy Manager (APM)
Support for different Identity Stores including: Oracle Internet Directory, Oracle Unified
Directory, and Oracle Virtual Directory. Oracle Virtual Directory can be used to support
third party directories or to provide multi-directory support.
All components are Highly Available.
SSL is terminated at the load balancer.
OAM and OIM are deployed into different domains to separate administrative tasks from
operational tasks.
Directories will are deployed into independent domains, this allows directories to be
patched independently of Oracle Access Management components. This removes the
need to ensure that products are certified with infrastructure components from a different
product set, this makes patching easier. It is also likely that enterprises will already have
an enterprise identity store (LDAP), which can be reused.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
If you are using load balancers to frontend the Identity Management environment, you must
configure virtual servers and associated ports on the load balancer for different types of
network traffic and monitoring. These virtual servers should be configured to the appropriate
real hosts and ports for the services running. Also, the load balancer should be configured to
monitor the real host and ports for availability so that the traffic to these is stopped as soon as
possible when a service is down. This ensures that incoming traffic on a given virtual host is
not directed to an unavailable service in the other tiers.
Fusion Applications: Install and Configure Identity Management 2 - 4
-
The directory tier provides the LDAP services. The directory tier stores identity information
about users and groups. This tier includes products such as Oracle Internet Directory, Oracle
Unified Directory, and Oracle Virtual Directory. The directory tier is closely tied with the data
tier.
In some cases, the directory tier and data tier might be managed by the same group of
administrators. In many enterprises, however, database administrators own the data tier while
directory administrators own the directory tier.
The directory components such as Oracle Unified Directory, Oracle Internet Directory and
Oracle Virtual Directory are installed on LDAPHOSTs. LDAP requests are distributed among
these servers using a hardware load balancer.
If you store the Identity details in a directory other than Oracle Internet Directory or Oracle
Unified Directory, you can use either
Oracle Virtual Directory to present that information or
Oracle Directory Integration Platform to synchronize the users and groups from the other
directory to Oracle Internet Directory.
If you are using Oracle Internet Directory exclusively, you do not need to use Oracle Virtual
Directory or Oracle Unified Directory.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
Directory Tier (continued)
If you store your identity information in Oracle Unified Directory, this information is stored locally
in a Berkeley database. To ensure high availability, this information is replicated to other Oracle
Unified Directory instances using Oracle Unified Directory replication.
Typically protected by firewalls, applications above the directory tier access LDAP services
through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and
636 for the SSL port. LDAP services are often used for white pages lookup by clients such as
email clients in the intranet. The ports 389 and 636 on the load balancer are typically redirected
to the non-privileged ports used by the individual directory instances.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
The application tier is where Java EE applications are deployed. Products such as Oracle
Identity Manager, Oracle Directory Integration Platform, Oracle Directory Services Manager
and Oracle Enterprise Manager Fusion Middleware Control are the key Java EE components
that are deployed in this tier. Applications in this tier benefit from the High Availability support
of Oracle WebLogic Server.
OAM Server, Oracle Adaptive Access Manager, Oracle Identity Manager, and SOA, can be
run in active-active mode; these servers communicate with the data tier at run time.
The WebLogic Administration Server is a singleton component and can be deployed in an
active-passive configuration. If the primary fails or the Administration Server on one host
does not start, the Administration Server on the secondary host can be started. If a WebLogic
managed server fails, the node manager running on that host attempts to restart it.
The Identity Management application tier applications interact with directory tier as follows:
They leverage the directory tier for enterprise identity information.
They leverage the database tier for application metadata.
WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in
the application tier as well. However, for the enterprise deployment shown, customers
have a separate web tier relying on web servers such as Oracle HTTP Server.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
The HTTP Servers are deployed in the web tier. Most of the Identity Management
components can function without the web tier, but to support enterprise-level single sign-on by
using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is
required.
Components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle
Directory Services Manager can function without a web tier. They can also be configured to
use a web tier, if desired.
In the web tier:
Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the
mod_wl_ohs module are installed. The mod_wl_ohs module enables requests to be
proxied from Oracle HTTP Server to a WebLogic Server that is running in the
application tier.
WebGate in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate
with Oracle Access Manager. WebGate and Oracle Access Manager are used to
perform operations such as user authentication.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
These are the typical hardware requirements. For each tier, carefully consider the load,
throughput, response time and other requirements to plan the actual capacity required. The
number of nodes, CPUs, and memory required can vary for each tier based on the
deployment profile.Production requirements may vary depending on applications and the
number of users. For detailed requirements, or for requirements for other platforms, see the
Oracle Fusion Middleware Installation Guide for that platform.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
Configuring virtual servers (IP addresses and host names) on physical machines enables you
to efficiently move the services from one configured environment to another.
A virtual IP address is an unused IP Address, which belongs to the same subnet as the host's
primary IP address. It is assigned to a host manually and Oracle WebLogic Managed servers
are configured to listen on this IP Address. In the event of the failure of the node where the IP
address is assigned, the IP address is assigned to another node in the same subnet, so that
the new node can take responsibility for running the managed servers assigned to it.
You must configure several virtual servers and associate ports on the load balancer for
different types of network traffic and monitoring. These virtual servers should be configured to
the appropriate real hosts and ports for the services running. Also, the load balancer should
be configured to monitor the real host and ports for availability so that the traffic to these is
stopped as soon as possible when a service is down. This ensures that incoming traffic on a
given virtual host is not directed to an unavailable service in the other tiers.
Ensure that the virtual server names are associated with IP addresses and are part of your
DNS. The computers on which Oracle Fusion Middleware is running must be able to resolve
these virtual server names.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
Several virtual servers and associated ports must be configured on the load balancer for
different types of network traffic and monitoring. These should be configured to the
appropriate real hosts and ports for the services running. Also, the load balancer should be
configured to monitor the real host and ports for availability so that the traffic to these is
stopped as soon as possible when a service is down. This ensures that incoming traffic on a
given virtual host is not directed to an unavailable service in the other tiers.
There are two load balancer devices in the recommended topologies.
One load balancer is set up for external HTTP traffic and
The other load balancer is set up for internal LDAP traffic
You may choose to have a single load balancer device due to a variety of reasons. While this
is supported, you should consider the security implications of doing this and if found
appropriate, open up the relevant firewall ports to allow traffic across the various DMZs. It is
worth noting that in either case, it is highly recommended to deploy a given load balancer
device in fault tolerant mode.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
Configuring the Load Balancers (continued)
The procedures for configuring a load balancer differ, depending on the specific type of load
balancer. Refer to the vendor supplied documentation for actual steps. The following steps
outline the general configuration flow:
Create a pool of servers. This pool contains a list of servers and the ports that are included
in the load balancing definition. For example, for load balancing between the web hosts
you create a pool of servers which would direct requests to WEBHOSTs on port 7777.
Create rules to determine whether or not a given host and service is available and assign
it to the pool of servers described above.
Create a Virtual Server on the load balancer. This is the address and port that receives
requests used by the application. For example, to load balance Web Tier requests you
would create a virtual host for sso.mycompany.com:80.
If your load balancer supports it, specify whether or not the virtual server is available
internally, externally or both. Ensure that internal addresses are only resolvable from
inside the network.
Configure SSL Termination, if applicable, for the virtual server.
Tune the time out settings. This includes time to detect whether a service is down.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
It is important to set up your file system in a way that makes the enterprise deployment easier
to understand, configure, and manage. Use this as a reference to help understand the
directory variables used in the installation and configuration procedures. Other directory
layouts are possible and supported, but the model adopted here is chosen for maximum
availability, providing both the best isolation of components and symmetry in the configuration
and facilitating backup and disaster recovery.
Oracle Fusion Middleware 11g enables you to configure multiple component instances from a
single binary installation. This allows you to install binaries in a single location on a shared
storage and reuse this installation for the servers in different nodes.
When an ORACLE_HOME (product binary location) or a WL_HOME (WebLogic binary
location) is shared by multiple servers in different nodes, keep the Oracle Inventory and
Middleware home lists in those nodes updated for consistency in the installations and
application of patches. To update the oraInventory in a node and attach an installation in a
shared storage to it, use ORACLE_HOME/oui/bin/attachHome.sh. To update the Middleware
home list to add or remove a WL_HOME, edit the file beahomelist located in a directory called
bea in the users home directory, for example: /home/oracle/bea/beahomelist.
You can mount shared storage either exclusively or shared. If you mount it exclusively, it will
be mounted to only one host at a time. (This is typically used for active/passive failover).
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
Oracle recommends also separating the domain directory used by the WebLogic
Administration Server from the domain directory used by managed servers. This allows a
symmetric configuration for the domain directories used by managed servers and isolates the
failover of the Administration Server. The domain directory for the Administration Server must
reside in shared storage to allow failover to another node with the same configuration. The
managed servers' domain directories can reside in local or shared storage.
It is recommended to place managed server directories onto local storage. Placing managed
server directories in shared storage can have adverse performance impact. The configuration
steps provided in this Enterprise Deployment Topology assume that a local domain directory
for each node is used for each managed server.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
The slide depicts the folder structure for Web Tier and Directory Tier using two different
machines. In the classroom environment you may see that the two tiers are configured in a
single machine and the MW_HOME (/u01/app/oracle/product/fmw) for all the tiers is the
same. The individual product binaries (ORACLE_HOME) such as web, idm, and oud are
under MW_HOME.
Similarly, in a single machine environment, the instance root is common to all the system
components. The ORACLE_INSTANCEs ohs1, oud1, oid1, and ovd1 are configured within
/u01/app/oracle/admin folder.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
The slide shows the folder hierarchy of Application Tier, with split domain where OAM and
OIM components are configured in separate domain and on different machines. Notice that
the AdminServer and Managed Servers of the same domain are also separated, to enable
easy porting of servers, and also to enable locating AdminServers and JMS Tlogs in shared
storage while locating Managed Servers in local storage.
Oracle Access Manager 11g R2: Advanced Administration 4 -
-
The installation procedure consists of these steps:
Install the database binaries and create one (OIDDB) database
Configure second (OIMDB) database using DBCA
Create ODS schema in OIDDB
Create OAM, OIM, and SOA schema in OIMDB
Install Web Tier
Install JRockit JDK
Install WebLogic Server
Install OID and OVD (from Oracle Identity Management Suite)
Install SOA
Install OAM and OIM (from Oracle Identity and Access Management Suite)
Apply necessary patches to the installed components
Fusion Applications: Install and Configure Identity Management 3 - 17
-
Although it is possible to combine the installation and configuration operations of some of the
Identity Management components, it is recommended to separate installation and
configurations into distinct operations for easier management, patching, and for implementing
high availability.
Install the database components.
Install the Oracle Web Tier component.
Install Oracle WebLogic Server. In 64-bit environments, you should install the 64-bit JDK
before installing Oracle WebLogic Server. When you install Oracle WebLogic Server,
you also create a Middleware home. All the subsequent components are installed in the
same Middleware home.
Note that even though Oracle Entitlement Server (OES) is used in authorization management,
you do not need to install and configure OES separately as with other identity and access
management components. This is because Fusion Applications provisioning process includes
the installation and configuration of OES.
Fusion Applications: Install and Configure Identity Management 4 - 18
-
To see all certified databases or to check if your database is certified, refer to the "Certified
Databases" section in the Certification Document at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion
-certification-100350.html
The database that is used to store the metadata repository should be highly available. For
maximum availability, you are recommended to use Oracle Real Application Clusters (RAC)
databases.
Ideally the database should use Oracle Automatic Storage Management (ASM) for storage of
data. However, this is not mandatory or essential. If you set up ASM, ASM should be installed
into its own Oracle home and have two disk groups:
One for the database files
One for the Flash Recovery Area
Fusion Applications: Install and Configure Identity Management 3 - 19
-
You can set the database initialization parameters after you have created the database, but
before creating OID related schema in the database.
Fusion Applications: Install and Configure Identity Management 3 - 20
-
You can set the database initialization parameters after you have created the database, but
before creating related schema in the database. If you plan to setup separate databases for
OAM and OIM schema, then each database should have the same initialization parameters, except open_cursors parameter. The open_cursor parameter can be 800 in each
database.
Fusion Applications: Install and Configure Identity Management 3 - 21
-
If you are using a RAC database, you need to run RCU from only one instance of the RAC
database.
If your topology requires more than one database, the following important considerations
apply:
Be sure to install the correct schemas in the correct database.
You might have to run the RCU more than once to create all the schemas for a given
topology.
Fusion Applications: Install and Configure Identity Management 3 - 22
-
Before configuring the Oracle HTTP Server in a machine, you should have already installed
the Oracle Web Tier in the machine.
Ensure that port you intend to use for OHS instance is not in use by any other component. In
the practice we intend to configure Oracle HTTP Server on port 7777, you must ensure that
port 7777 is not used by any other service on the nodes.
To check if this port is in use, run the following command before installing Oracle HTTP
Server. You must free the port if it is in use.
netstat -an | grep 7777
Create a file containing the ports used by Oracle HTTP Server. You can use the staticports.ini
file provided in the Web Tier installation media (on Disk1 of the installation media, under
/stage/Response/ folder) to set up OHS and OPMN for OHS instance in specific folders.
In the practice for this lesson, you use the starticports.ini file to assign your selected
port to the OHS components that you configure. This will help you to make sure that there are
no port conflicts when you need to fail the OHS components over to another machine.
Use the Configuration Assistant from WEB_ORACLE_HOME for configuring the OHS instance.
Note that the Web Tier Configuration Wizard is different from the Fusion Middleware Domain
Configuration Wizard.
Fusion Applications: Install and Configure Identity Management 5 - 23
-
Before starting to implement your Identity Management topology, you must determine whether
to create a single domain topology or split domain topology.
For a single domain topology, create one WebLogic domain, often referred to as
IDMDomain.
For a split domain topology, you must create two domains. Specifically:
- A domain for most components, including directories, the HTTP server, Oracle
Access Manager, Fusion Middleware Control, and WebLogic console. This is
called IDMDomain.
- A domain for Oracle Identity Manager components, including OIM managed
servers and separate WebLogic console and Fusion Middleware Control. This is
called OIMDomain.
In the practice, you create a single domain topology and configure all the Java components to
run in IDMDomain.
Fusion Applications: Install and Configure Identity Management 5 - 24
-
Run the Domain Configuration Wizard from the Oracle Common home directory to create a
domain that contains only the WebLogic Administration Server. The Administration Server
runs the Fusion Middleware Control and the WLS Administration Console.
Later you extend this domain to configure managed servers in clusters for other Identity
Management components.
You should disable host name verification because you may not have configured the server
certificates. You will receive errors when managing the different WebLogic Servers with host
name verification enabled and certificates not configured. To avoid these errors, disable host
name verification while setting up and validating the topology, and enable it again after your
Identity Management topology configuration is complete.
In your environment, Oracle WebLogic Server may be fronted by multiple OHS that are in turn
fronted by a load balancer. The load balancer usually performs SSL translation. For the
internal loopback URLs to be generated with the https prefix, Oracle WebLogic Server must
be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in.
Fusion Applications: Install and Configure Identity Management 5 - 25
-
If you intend to separate your identity and policy information, you must create two highly
available instances of directory. These instances can coexist on the same nodes or can exist
on separate nodes. The data, however, must be stored in two separate databases.
Fusion Applications: Install and Configure Identity Management 5 - 26
-
If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes,
the OID Monitor on the node that is behind stops all servers on its node. To correct this
problem, synchronize the time on the node that is behind in time. The OID Monitor
automatically detects the change in the system time and starts the Oracle Internet Directory
servers on its node.
Fusion Applications: Install and Configure Identity Management 5 - 27
-
The WLS Domain Configuration Wizard (config.sh) is available in
MW_HOME/oracle_common/common/bin.
After configuring OAM in the WLS domain, by default, the IAM Suite Agent provides single
sign-on capability for administration consoles. In enterprise deployments, WebGate handles
single sign-on, so you must remove the IAM Suite Agent.
Log in to the WebLogic console by using the URL: http://admin:7001/console
Select Security Realms from the Domain Structure menu and click myrealm.
Click the Providers tab, and then click Lock & Edit from the Change Center.
From the list of authentication providers, select IAMSuiteAgent and click Delete.
Click Yes to confirm the deletion.
Click Activate Changes from the Change Center.
Restart WebLogic Administration Server and all managed servers.
Fusion Applications: Install and Configure Identity Management 5 - 28
-
To configure OAM to work with OHS, edit the OHS configuration file and add the OAM-related
configuration.
SetHandler weblogic-handler
WebLogicCluster :,:
SetHandler weblogic-handler
WebLogicCluster :,:
To enable access to the OAM Administration console, add the following lines also to the OHS
configuration file. Note that OAM console also runs within WLS Admin Server.
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WebLogicPort 7001
To configure OAM with SIMPLE security mode, use an external LDAP, and to create an external
WebGate, create an OAM property file, and using that file as input, run idmConfigTool in
configOAM mode.
Validate the OAM configuration as follows:
Access the OAM console at: http://adminhost:7001/oamconsole. Log in as the Oracle Access Manager Admin User (oamadmin with password: Welcome1).
Click the System Configuration tab, and expand Access Manager Settings > SSO Agents
> OAM Agents.
Click the open folder icon, and then click Search. You should see the WebGate agent
Webgate_IDM.
Update the new WebGate agent.
Click the Webgate_IDM agent in the result of the previous search step.
Select Open from the Actions menu and update the following information:
- Deny if not Protected: Deselect.
- Set Max Connections to 4 for all the Oracle Access Manager servers listed in the
primary servers list.
Click Apply.
Click the Policy Configuration tab and double-click IAMSuiteAgent in Host Identifiers. Click
+ in the Operations box.
Enter the following information:
- Host Name: adminhost.example.com
- Port: 7777
Click Apply.
Fusion Applications: Install and Configure Identity Management 5 - 29
-
Fusion Applications: Install and Configure Identity Management 5 - 30
-
Oracle Access Manager 11g R2: Advanced Administration 4 - 31
Summary
A summary list appears at the end of each course, unit, module, and lesson. You can format
the summary slide in two ways. For example, you can summarize the lesson or unit in a short
paragraph, or you can simply restate the objectives. Whichever format you choose, use it
consistently for every lesson and unit in your course.
If you decide to simply restate the objectives, try not to repeat them verbatim. Use the
following guidelines for the bulleted list:
Begin the summary list with this introduction: In this lesson, you should have learned how to:
Under this introduction, create list items that are sentence fragments beginning with
imperative (action) verbs. Do not use end punctuation.
If the summary covers only one topic, incorporate that topic in the In this lesson sentence. Do not create a one-bullet list. For example:
In this lesson, you should have learned how to define a parameter. [Note the end
punctuation.]
not
In this lesson, you should have learned how to:
- Define a parameter