This OBE tutorial describes and shows you how to perform the installation of Oracle Access Manager Identity System. This process involves installing the Oracle Access Manager Identity Server and Oracle Access Manager WebPass with user data repository being accessed by using Oracle Virtual Directory. This OBE tutorial also lists the preinstallation requirements.
Approximately 2 hours
This OBE tutorial covers the following topics:
|
Overview | |
|
Scenario | |
|
Installing the Oracle Access Manager Identity Server | |
|
Installing Oracle Access Manager WebPass | |
|
Postinstallation configuration for Oracle Access Manager Identity Server | |
|
Summary | |
Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.
The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Access Manager.
Access management is the means for controlling user access
to enterprise resources. Access management products provide centralized, fine-grained
access management for heterogeneous application environments, as well as integration
with Oracle products. Oracle Access Manager provides a full range of identity
administration and security functions, which include Web single sign-on, user
self-service and self-registration, identity workflow functionality, auditing
and access reporting, access policy management, dynamic group management, and
delegated administration.
Oracle Access Manager further provides Web-based identity administration, as
well as access control to Web applications and resources running in a heterogeneous
environment. It provides the user and group management, delegated administration,
password management, and self-service functions necessary to manage large user
populations in complex, directory-centric environment.
Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, Linda is responsible for performing access management tasks on various user groups within the organization. To perform identity administration and access control to resources, she needs to install the Oracle Access Manager Identity Server and Oracle Access Manager WebPass. By using Oracle Access Manager, Linda can perform user and group management, delegated administration, password management, and self-service functions necessary to manage large user populations in a directory-centric environment. In addition, by integrating Oracle Access Manager with Oracle Virtual Directory (OVD)—for the Oracle Access Manager applications—the virtual directory looks and behaves just like any other Lightweight Directory Access Protocol (LDAP) directory. For the client applications or users, the user data accessed from various heterogeneous data sources through OVD is totally transparent.
The following image highlights the complete setup/architecture for the complete OAM-OVD integration scenario.
Before you start the installation task, make sure that your system environment meets the following requirements:
Software Requirements
The system should include the following installed products:
The system should include the installation files for the following products:
You use the Identity Server to manage identity information about users, groups, organizations, and other objects. Your installation may include one or more Identity Servers. Each instance of the Identity Server communicates with a Web server through a WebPass plug-in. The Identity Server performs four main functions:
To install Oracle Access Manager Identity Server, perform the following steps:
|
1. |
In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_Identity_Server.exe file and click Next. This command launches the Oracle Access Manager installer that will install the Oracle Access Manager Identity Server.
|
||||||||||
|
2. |
You must have the administrative privileges to run the installation. If you are logged in as a different user, then you need to exit the installation, log in as the Administrator, and then restart the installation. Then, click Next.
|
||||||||||
| 3. |
In the Destination Name text box, set the installation directory to E:\Oracle\identity and click Next.
|
||||||||||
| 4. |
Review the location to which Oracle Access Manager Identity Server is getting installed and the total disk size it would take for the installation. Then, click Next.
|
||||||||||
| 5. |
Notice that the installer begins copying the Oracle Access Manager Identity Server files. Next, select the Open Mode: No encryption option for the Identity client and Identity Server to communicate. Click Next.
|
||||||||||
| 6. |
You need to provide the Identity Server ID, host name, and port number for the Identity Server connection. For this installation, you can provide the following values, and then click Next.
Note: You can use your own values for all these parameters on the basis of any changes made to the environment setup.
|
||||||||||
| 7. |
If you are installing the first Identity Server instance on the host, then keep the default selected option Yes and click Next.
|
||||||||||
| 8. | You can use SSL between the Identity Server
and the Directory Server. By default, the Directory Server hosting user
data is in SSL and Directory Server hosting Oracle data is in SSL
check boxes are deselected. You will not be using SSL for this setup. Keeping
the check boxes deselected, click Next.
|
||||||||||
| 9. |
The OVD will be used to route the storage of information. This is used to host the user data for the Identity Server. In this case, you select Data Anywhere from the Directory Server Type drop-down list and click Next.
|
||||||||||
| 10. |
The directory server schema needs to be extended to store the Oracle Access Manager schema. To configure the user repository with the Oracle Access Manager schema, retain the Yes option and click Next.
|
||||||||||
| 11. |
Provide the following information for the virtual directory server that routes the hosting for the user data, and then click Next.
|
||||||||||
| 12. |
An LDAP server is used to store the Oracle data (configuration data) for the Identity Server. In this case, you select Oracle Internet Directory from the Directory Server Type drop-down list and click Next.
|
||||||||||
| 13. |
To configure the repository with the OAM Access Manager schema, retain the Yes option selected, and then click Next.
|
||||||||||
| 14. |
Provide the following information for the directory server hosting the Oracle data, and then click Next.
|
||||||||||
| 15. |
Enter identity as the Windows service name and click Next.
|
||||||||||
| 16. |
You can view read me and then click Next.
|
||||||||||
| 17. |
You can review the server settings and click Finish.
|
||||||||||
| 18. |
Start the Oracle Access Manager Identity Server (identity) service.
Note: In this environment, you start it from a batch file that runs a NET START command to start the identity service. You can also start it by navigating to Start > Control Panel > Administrative Tools > Services, right-clicking the Oracle Access Manager Identity Server (identity) service, and selecting Start.
|
||||||||||
| 19. |
You can verify the schema for the Oracle data (Oblix) in the OID by navigating to Oracle Directory Manager > Oracle Internet Directory Servers > orcladmin@ten.mydomain.com:13060 > Schema Management. You will find the Oracle (Oblix) specific object classes and attributes created when the OID schema was extended by the Identity Server installer.
Note: You need to click the Attributes tab to view the values.
|
||||||||||
| 20. |
In the OVD Manager, in the Server Navigator pane, navigate to OVD_Training > ten.mydomain.com and right-click Reload from Server.
Note: In case you are not connected to the server, navigate to OVD_Training > ten.mydomain.com and right-click Connect to Server. Retain the default username as cn=Admin and password as abcd1234, and then click OK.
|
||||||||||
| 21. |
Click the Schema tab to view the listed OAM schemas. Here you will find the Oracle (Oblix)-specific object classes and attributes created when the OVD schema was extended by the Identity Server installer.
Note: You need to expand the Attributes and Objectclasses link to see the details.
|
||||||||||
| 22. |
To view the AD schema from the Microsoft Management Console, click Start > Run, and then enter regsvr32 schmmgmt.dll.
|
||||||||||
| 23. |
Notice the message about successful registration and then click OK.
|
||||||||||
| 24. |
You need to access the Microsoft Management Console to add the AD schema snap-in. Click Start > Run and enter mmc. Click OK to open the MMC console.
|
||||||||||
| 25. |
In the left pane, click Console Root, and then click File > Add/Remove Snap-in.
|
||||||||||
| 26. |
In the Add/Remove Snap-in dialog box, click Add and select the Active Directory Schema Snap-in. Click Add to insert the snap-in.
|
||||||||||
| 27. |
Click OK and you can view the Active Directory Schema Snap-in added to the Console Root.
|
||||||||||
| 28. |
Browse to the E:\Oracle\identity\oblix\tools\DataAnyWhere\OblixUserSchema folder and edit the ADUserSchema.ldif file to change the base DN for the AD domain to dc=mydomain,dc=com.
|
||||||||||
| 29. |
To extend the AD schema with Oracle (Oblix)-specific object classes and attributes, run the following command from the E:\Oracle\identity\oblix\tools\DataAnyWhere\OblixUserSchema folder. ldifde –a “cn=administrator,cn=users,dc=mydomain,dc=com” “abcd1234” –i –c “dc=mydomain,dc=com” “dc=mydomain,dc=com” –f aduserschema.ldif -v
|
||||||||||
| 30. |
You need to access the MMC to view the AD schema. Click Start > Run and enter mmc. Click OK to open the MMC console.
Note: If you already have AD schema console open, then you need to close it and reopen it using the Microsoft Management Console. You might have to refresh the MMC to view the updated records.
|
||||||||||
| 31. |
From the Console Root > Active Directory Schema, navigate to expand the Classes and the Attributes to view the OAM information.
|
A WebPass is a Web server plug-in that passes information back and forth between a Web server and the Identity Server. A WebPass can communicate with multiple Identity Servers. Each Web server that communicates with the Identity Server must be configured with a WebPass. In an Oracle Access Manager installation, at least one WebPass must be installed on a Web server and configured to communicate with at least one Identity Server. After installing an Identity Server and a WebPass, you must complete an initial Identity System setup process to enable communication between the Identity Server and the WebPass. The WebPass performs the following functions:
For this setup, the WebPass will be using a preinstalled instance of stand-alone Oracle HTTP Server 2.x. This instance of OHS 2.x will be the Web server for the earlier installed instance of Identity Server. To install the Oracle Access Manager WebPass, perform the following steps:
|
1. |
In Windows Explorer, navigate to E:\install_files\oam101401, double-click the Oracle_Access_Manager10_1_4_0_1_Win32_OHS2_WebPass.exe file, and then click Next. This command launches the Oracle Access Manager installer that installs Oracle Access Manager WebPass.
|
||||||||
|
2. |
To install Oracle Access Manager WebPass, you must have the administrative privileges. If you are logged in as a different user, then you need to exit the installation, log in as the Administrator, and then restart the installation. Then, click Next.
|
||||||||
| 3. |
In the Destination Name text box, set the installation directory to E:\oracle\webpass and click Next.
|
||||||||
| 4. |
Review the location to which Oracle Access Manager WebPass is getting installed and the total disk size it would take for the installation. Then, click Next. .
|
||||||||
| 5. |
Notice that the installer begins copying the Oracle Access Manager WebPass files. Next, select the Open Mode: No encryption option for the WebPass and Identity Server to communicate, and then click Next.
|
||||||||
| 6. |
You need to provide the WebPass ID, host name, and port number for the Identity Server connection. For this installation, you can provide the following values, and then click Next.
Note: You can use your own values for all these parameters on the basis of any changes made to the environment setup.
|
||||||||
| 7. |
The Web server needs to be configured by modifying the configuration of the Web server directory. This change is reflected in the httpd.conf file for the stand-alone OHS 2.x instance. To automatically update this configuration, retain the automatic update selection, and then click Next.
Note: OHS 2.x is the default Web server used in this environment.
|
||||||||
| 8. | You need to provide the absolute path for
the httpd.conf file to the installer for WebPass. Click Browse
and navigate to E:\Oracle\ohs\ohs\conf\httpd.conf, and then click
Next. Again click Next.
|
||||||||
| 9. |
Notice that the Web server configuration has been modified for the OHS 2.x. You need to restart the identity server and the Web server for the changes to take effect. To restart the identity server, click Start > Control Panel > Administrative Tools and double-click Services. Right-click the Oracle Access Manager Identity Server (identity) service and select Restart.
Note: Do not click Next before you start the Identity Server and restart the Web server.
|
||||||||
| 10. |
To restart the Web server, execute the following commands in sequence from <OHS_home>\opmn\bin. E:\Oracle\ohs\opmn\bin>opmnctl stopall E:\Oracle\ohs\opmn\bin>opmnctl startall
|
||||||||
| 11. |
You can view the read me and then click Next.
|
||||||||
| 12. |
You can review the WebPass configuration settings and click Finish.
|
||||||||
| 13. |
To verify the WebPass installation, access the Identity Administration page from the following URL: http://<hostname>.<domainname>/identity/oblix
Note: For this environment, use the URL http://ten.mydomain.com:7778/identity/oblix where 7778 is the port on which the OHS will route the access to the Identity Server.
|
||||||||
| 14. |
To verify the update to the httpd.conf file, navigate to E:\Oracle\ohs\ohs\conf and open the httpd.conf file. You can view the changes made after the installer added the update for WebPass.
|
Oracle Access Manager needs an interface to complete the installation configuration. To complete the postinstallation configuration, perform the following steps:
|
1. |
Open the browser and enter the URL to access the Identity System Console in the following format, and then click Identity System Console. http://<hostname>.<domainname>/identity/oblix
Note: Before you begin, ensure that the Oracle Access Manager Identity Server (identity) service and the stand-alone OHS are started and running.
|
||||||||||||
|
2. |
Notice that the System Console Application is not set up. Then, click Setup to perform the configuration.
|
||||||||||||
| 3. |
For the Directory Server type for User data, select Data Anywhere and then click Next.
|
||||||||||||
| 4. |
You can view the note for the schema changes where the installer needs to update the Oracle Access Manager Identity schema into the directory. Scroll down and click Next.
|
||||||||||||
| 5. |
You need to specify the location of the LDAP server that will store user data. For this, provide the following parameters for the OVD Server and then click Next.
|
||||||||||||
| 6. |
For the Directory Server type for Oracle configuration data, select Oracle Internet Directory and then click Next.
|
||||||||||||
| 7. |
You can view the note for the schema changes where the installer needs to update the Oracle Access Manager Identity schema into the directory. Scroll down and click Next.
|
||||||||||||
| 8. |
You need to specify the location of the LDAP server that will store the configuration data. For this, provide the following parameters and then click Next.
|
||||||||||||
| 9. |
The configuration DN is the directory tree where Oracle Access Manager stores the configuration data. The Oracle Access Manager Identity System and the Oracle Access Manager System needs to use the same configuration data. The searchbase is the node in the directory tree where user data is stored. In this case, the searchbase will point to the base of local store adapter that has been configured in the OVD. The local store adapter in turn will fetch the user data from LDAP servers, OID and AD. To set the searchbases for the configuration and user directories, provide the following values and click Next.
|
||||||||||||
| 10. |
The Person Object Class defines the primary objectclass for people in
the user directory. This will vary by the specific type of directory used
for user information or if directory schema extensions are made to define
a new type of ‘person’ object. Provide the value for the Person
Object Class as inetOrgPerson
Note: By default, retain the Auto configure objectclass check box as selected.
|
||||||||||||
| 11. |
The Group Object Class defines the primary objectclass for groups in the user directory. This will vary by the specific type of directory used for user information or if directory schema extensions are made to define a new type of default "group" object. Provide the values for the Group Object Class as groupOfUniqueNames and click Next.
Note: By default, retain the Auto configure objectclass check box as selected.
|
||||||||||||
| 12. |
The basic connection information for the directories is completed. You need to restart both the Identity Server and the OHS Web Server for these changes to take effect and then perform the basic configuration schema mappings. After you perform the restart (from the next four steps), click Next.
Note: You need to click Next only after you perform step 13 to 16.
|
||||||||||||
| 13. |
To stop the identity server, click Start > Control Panel > Administrative
Tools and double-click Services. Right-click the Oracle
Access Manager Identity Server (identity) service and select Stop.
|
||||||||||||
| 14. |
To stop the stand-alone OHS, browse to <OHS_standalone_home>\opmn\bin and execute the following commands: E:\Oracle\ohs\opmn\bin>opmnctl stopall
|
||||||||||||
| 15. |
To start the stand-alone OHS, browse to <OHS_standalone_home>\opmn\bin, and execute the following commands: E:\Oracle\ohs\opmn\bin>opmnctl startall
|
||||||||||||
| 16. |
To start the identity server click Start > Control Panel > Administrative
Tools and double-click Services. Right-click the Oracle
Access Manager Identity Server (identity) service and select Start.
|
||||||||||||
| 17. |
You can verify the configuration values set for the objectclass inetOrgPerson. After you review the complete schema mapping for this objectclass, click Yes.
|
||||||||||||
| 18. |
You can verify the configuration values set for the group objectclass groupOfUniqueNames. After you review the complete schema mapping for this groupclass, click Yes.
|
||||||||||||
| 19. |
Oracle Access Manager administrators have access to system configuration and system management functions. In this setup, one or more Oracle Access Manager Master Administrators need to be assigned. These users can configure the rest of the Oracle Access Manager installations. To identify these users, click Select User.
|
||||||||||||
| 20. |
Search for Full Name as tina hart and click Go.
Note: By configuring the OVD, any user from any of the LDAP servers can serve as an administrator for OAM. For this example, Tina Hart is a user in OID within the organization firemains.
|
||||||||||||
| 21. |
You can view the user Tina Hart. Click ADD to select this user as the master administrator.
|
||||||||||||
| 22. |
Click Done to return to the Configure Administrators section. You can view that Tina Hart is now listed as Master Admins. Click Next.
|
||||||||||||
| 23. |
The default directories of the Oracle Access Manager Identity Server installation should be secured. Next, click Done.
|
||||||||||||
| 24. |
Open the browser and enter the URL to access the Identity System Console in the following format, and then click Identity System Console. http://<hostname>.<domainname>/identity/oblix
|
||||||||||||
| 25. |
You can authenticate as a Master Administrator you selected earlier. Enter the username as tina.hart and password as abcd1234, and click Login.
|
||||||||||||
| 26. |
The Identity System Console entry page will be displayed. You can click the System Configuration tab and the Common Configuration tab to view the system and the administrative functions that the Oracle Access Manager can perform.
|
||||||||||||
| 27. |
Click Object Classes in the left pane to view the selection.
|
||||||||||||
| 28. |
Open the browser and enter the URL to access the Identity System Console in the following format, and then click User Manager. http://<hostname>.<domainname>/identity/oblix
|
||||||||||||
| 29. |
Log in with the username as tina.hart and password as abcd1234.
|
||||||||||||
| 30. |
With OVD fetching the data from both OID and AD, you can try search for users from both these LDAP servers. To verify this, in the Search text box, enter JANE.FULLTIME (who resides in AD), and click Go. Notice that the user information is populated.
|
||||||||||||
| 31. |
Similarly, in the Search text box, enter bill anthony (who resides in OID), and then click Go. Notice that the user information is populated.
|
||||||||||||
| 32. |
Browse to the ODM to Entry Management > dc=com > o=Oblix to view the Oracle(Oblix)–specific configuration data stored in OID.
|
In this lesson, you learned how to:
|
Install the Oracle Access Manager Identity Server | |
|
Install Oracle Access Manager WebPass | |
|
Postinstallation configuration for Oracle Access Manager Identity Server | |
Place the cursor over this icon to hide all screenshots.