Oracle Identity & Access Management Domain Environment Setup

Oracle Identity & Access Management Domain Environment Setup 

Environment :  VirtualBox – OEL 6.5 + Docs to configure.
 70 GB HDD – 16GB RAM – i3 2nd Gen Processor
2 users – oracle, weblogic
/stage – all products unzipped
/d01 – empty, install all IDM products
/u01 – empty, install only DB
Pre-req : https://www.youtube.com/watch?v=sbVIEQgrU2k
Oracle Identity And Access Management 11.1.2.2
A) Installation : 10+ products 3-4 days  #Bible for installation is certification matrix
Right Version, how to install?
1. DB 11.2.0.1- Install, Create, Tune and create listener
A) Install the DB
#xhost + #enale the x session
su – oracle
cd /stage/database
./runInstaller
B) Create the DB
#xhost + #enale the x session
su – oracle
dbca
C) Create Listener
#xhost + #enale the x session
su – oracle
netca
D) Tune the DB – 4 parameters are mandatory
1. open_cursors : 1000
2. processes : 1000
3. sessions : 1000+
4. DB Character Set : AL32UTF8
SQL> alter system set open_cursors=1500 scope=spfile;  #
2 docs : performance tuning docs for OIM/OAM – N/W, OS, DB, ApplicationServer, OIM/OAM
Checkpoint : DB is ready for RCU
2. RCU 11.1.2.1 #sys/Oracle123
Pre-req : DB + Listener must be up and running.
-> RCU creates DB schemas for FMW products
-> Schema is a DB User or its a collection of DB Objects(table, Seq, SP, Func, etc..)
#xhost +
su – oracle
cd /stage/rcu11.1.2.2/rcuHome/bin/
./rcu
Select 3 Components :
OID : ODS – ODSSM(ODSM)
OIM : DEV_OIM, DEV_MDS, DEV_OPSS, DEV_SOAINFRA, DEV_ORASDPM
OAM : DEV_OAM, DEV_IAU
Checkpoint : DB is ready with all schema and can be integrated with OIM/OAM …
3. weblogic 10.3.6(wls1036_generic.jar – 32bit JDK -Sun JDK, Jorockt JDK, Limitation – 4 GB of JVM Heap Size) using
custom JDK 1.6 update35+(64 bit JDK – Sun, Jrockt, 32 GB JVM Heap Size)
#xhost
su – weblogic
cd /stage
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
java -version
which java
java -jar wls1036_generic.jar
4. SOA SUite 11.1.1.7
#xhost
su – weblogic
cd /stage/soa11.1.1.7/Disk1
./runInstaller
/stage/jdk1.6.0_35/
oracle_common : reference of all products.
Oracle_SOA1
Oracle BPEL PM, Mediator, Rules, B2B, Human Workflow
Oracle Business Activity Monitoring (BAM)
Oracle Enterprise Manager
Install 11 interim Patches on SOA SUite, required for OIM
Note : the patches bundle will be available in iamSuite.
cd /stage/iamSuite11.1.2.2/Disk1
ls OIM_11.1.2.2_SOAPS6_PREREQS.zip
mkdir -p /stage/SOA_INTERIM_PATCHES
unzip -d /stage/SOA_INTERIM_PATCHES OIM_11.1.2.2_SOAPS6_PREREQS.zip
cd /stage/SOA_INTERIM_PATCHES/SOAPATCH
export ORACLE_HOME=/d01/Weblogic/FMW/Oracle_SOA1/
export PATH=$ORACLE_HOME/OPatch:$PATH
opatch lsinventory
opatch napply
opatch lsinventory
5. IDM SUite (OID/OVD/ODSM) 11.1.1.7
#xhost
su – weblogic
cd /stage/idmSuite11.1.1.7/Disk1
./runInstaller
Oracle_IDM1
Oracle Internet Directory : Built in C Language, LDAP Server/Directory Server
Oracle Directory Integration Platform : AD <=> OID –  Ebiz, OAM – AD, OID, OUD
Oracle Virtual Directory : LDAP Server, Virtualization, Holistic view of data, it never stores data.
Oracle Identity Federation : (FB(ABC Ent- 1,2,3,4..) => ABC Ent(1,2,3,4..))
Oracle HTTP Server : Internally used by OIF and OVD.
Oracle Directory Service Manager : J2EE app to monitor and work on OID/OVD.
Enterprise Manager : Control the OID/OVD.
6. IAMSuite (OIM/OAM) 11.1.2.2
#xhost
su – weblogic
cd /stage/iamSuite11.1.2.2/Disk1
./runInstaller
/stage/jdk1.6.0_35
Oracle_IAM1
Oracle Identity Manager Server : J2EE
Oracle Identity Manager Design Console : Swing based OIM Client
Oracle Identity Manager Remote Manager : Legacy apps, which doesnot support any protocol, this component need to be installed there.
Oracle Access Manager : SSO, Course Grain AuthZ
Oracle Identity Navigator : part of OPAM
Oracle Adaptive Access Manager : Bharosa, banking, Virtual Keyboard, OTP, Device/IP fingerprinting.
Oracle Access Management Mobile and Social : Mobile(ios, android), social(FB, TW, LI, google..)
Oracle Privileged Account Manager : OPAM+OIN, Shared password management utility(DBA, system admins)
Oracle Entitlement Server : Fine Grained AuthZ, Embedded in OIM.
Oracle Security Solutions:
A) Identity Governance Suite
OIM+(OES), OIA, OPAM+OIN
B) Access Management Suite
OAM, OIF, OAAM, eSSO
C) Directory Services Suite
OID, ODSEE, OVD, OUD
D) DB Security
Core DBA
E) Cloud Security
SOA 12c
7. OHS 11.1.1.6/7 #supported webservers for OAM – Apache, iPlanet, IHS, OTD, IIS.
#xhost
su – weblogic
cd /stage/ohs11.1.1.6/Disk1
./runInstaller
Oracle_WT1
Oracle Process Manager Notification (OPMN)
Oracle HTTP Server (OHS)
Oracle Web Cache #not applicable on OAM.
DB <= ApplicationServer <= webserver(static contents from file system)+WebCache(static Contents from cache) <=End User
OBE Webgate Link : http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/web_cache/11g/r1/wc_ohs/wc_ohs.htm
Note : Can call it WebTier, OHS Server, Webserver
8. Webgate 11.1.2.2 #Webgates are specific respective webservers,this OHS server Webgate
#xhost
su – weblogic
cd /stage/webgate11.1.2.2/Disk1/
./runInstaller
/stage/jdk1.6.0_35/
Oracle_OAMWebGate11gR2
Note : the Webserver and the respective agent must be in same host and same MW_HOME.
9. OUD 11.1.2.2 (OID-[DB,Replication Tooplogy], ODSEE[applicationServer,UserBase is larger than OID], OVD[DB, WS, LDAP Servers], OUD[Standalone J2EE application, Replication Topology, 1 Billion User Entries, Supports Virtual Profiles(OVD) for DB, LDAP Servers, WS])
#xhost
su – weblogic
cd /stage/OUD_11.1.2/Disk1/
./runInstaller
10. OBIEE – BI Publisher(reporting) #Doc with snapshot
#xhost
su – weblogic
cd /stage/*/Disk1
./runInstaller
Cluster :
=========
2 node cluster setup
Node 1- Node 2
1. All versions must be same.
2. All directory structure, ORACLE_HOME names must be same.
3. TimeStamp must be same on both the nodes. (NTP Server – Time Server , in all nodes, the time is sync from this time server. )
B) Configuration & Integration Phase 2 days
Pre-req : DB and Listener must be started
1. IDMDomain(ODSM) + OID and OVD Instance
#xhost +
#su – weblogic
cd /d01/Weblogic/FMW/Oracle_IDM1/bin
./config.sh
A) Create a domain – IDMDomain(AS, wls_ods1[ODSM]) + oid_ovd_instance1 #Node1 – clustered
B) Extend the existing domain – Add Ons – ODIP, OIF
C) Expand Cluster – In  a cluster environment, this option need to be selected on node2
D) Configure without a domain. – oid_ovd_instance1
Note : for port customization of OID/OVD/AS/MS – go to => /stage/idmSuite11.1.1.7/Disk1/stage/Response – staticports.ini , copy it to some other location and modify.
2. Work on ODSM – OID/OVD
How to start the OID/OVD/ODSM Stack :
1. start the DB + Listener
#su – oracle
. oraenv
IDMDB11g
sqlplus ‘/as sysdba’
SQL> startup
SQL> exit
lsnrctl start LISTENER
exit #logout as oracle
su – weblogic
cd /d01/Weblogic/FMW/oid_ovd_instance1/bin
./opmnctl startall/stopall/status/ status -l/ stopproc/startproc ias-component=oid1/ovd1/EMAGENT
#start the AdminServer and ManagedServer
#create boot.properties files , is a one time activity
cd /d01/Weblogic/FMW/user_projects/domains/IDMDomain/servers/AdminServer/security
vi boot.properties
username=weblogic
password=Oracle123
cd /d01/Weblogic/FMW/user_projects/domains/IDMDomain/servers/wls_ods1/security
vi boot.properties
username=weblogic
password=Oracle123
cd /d01/Weblogic/FMW/user_projects/domains/IDMDomain/bin/
nohup ./startWebLogic.sh &
tail -f nohup.out
nohup ./startManagedWebLogic.sh wls_ods1 &
tail -f nohup.out
Alternatively ManagedServers can also be started using Node Manager, FOR THAT start the NodeManager
cd /d01/Weblogic/FMW/wlserver_10.3/server/bin
nohup ./startNodeManager.sh &
Note : Machine status must be reachable, the you can start ManagedServers.
#server states : http://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/overview_lifecycle.html
3. using ODSM – create adapter in OVD
4. Extend the OID[OUD,AD, ODSEE] Schema – attributes, object classes
A) Extend the OID schema for OIM and OAM
su – weblogic
mkdir -p /stage/scripts
cd /stage/scripts
vi extend.props #OID Specific
IDSTORE_HOST : idm.oraclefusion4all.com
IDSTORE_PORT :3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
export MW_HOME=/d01/Weblogic/FMW/
export JAVA_HOME=/stage/jdk1.6.0_35
export PATH=$JAVA_HOME/bin:$PATH
export ORACLE_HOME=/d01/Weblogic/FMW/Oracle_IAM1
export IDM_HOME=/d01/Weblogic/FMW/Oracle_IDM1
cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
./idmConfigTool.sh -preConfigIDStore input_file=/stage/scripts/extend.props
B) Create OIM Specific user/group schema in OID #xelsysadm/Oracle123
cd /stage/scripts
vi oim.props
IDSTORE_HOST : idm.oraclefusion4all.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdministrators
cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
./idmConfigTool.sh -prepareIDStore mode=OIM input_file=/stage/scripts/oim.props
C) Create OAM Specific user/group schema in OID #oamadmin/Oracle123
vi  /stage/scripts/preconfigOAMPropertyFile.rsp
IDSTORE_HOST : idm.oraclefusion4all.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
./idmConfigTool.sh -prepareIDStore mode=OAM input_file=/stage/scripts/preconfigOAMPropertyFile.rsp
Checkpoint : OID can be integrated via OVD with OIM and OAM.
5. IAMDomain(AdminServer, oim_server1 , oam_server1, soa_server1)
pre-req : DB + Listener
#xhost +
su – weblogic
cd /d01/Weblogic/FMW/oracle_common/common/bin
./config.sh
OIM/OAM #soa_server1 will be selected will be selected automatically.
Note : Never ever try to start AdminServer and ManagedServers. #AS/MS ==> OPSS(Nothing) ==> Fail.
6. Upgrade the OPSS schema #specific to PS2 11.1.2.2
su – weblogic
cd /d01/Weblogic/FMW/oracle_common/bin
./psa
7. Create DB Security
Checkpoint : Now we can start AdminServer and ManagedServers.
cd /d01/Weblogic/FMW/oracle_common/common/bin
./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/configureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c IAM -m create -p <OPSS Schema Password>
AS/MS ==> OPSS(Internal Audit Store + Credential Store) ==> Success.
Troubleshoot : Validate the DB Security Store : ./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/configureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c IAM -m validate
Checkpoint : Now AdminServer and ManagedServers of IAM can be started.
Create boot.properties files for IAMDomain.
mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/AdminServer/security
mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/soa_server1/security
mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/oim_server1/security
mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/oam_server1/security
cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/AdminServer/security
vi boot.properties
username=weblogic
password=Oracle123
copy the file to all managedservers security folders.
8. Start Servers(DB, Listener, oid_ovd_instance1, AdminServer, soa_server1) – server life cycle
cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/bin
nohup ./startWebLogic.sh &
nohup ./startManagedWebLogic.sh soa_server1 &
9. configure the OIM – LDAP Sync
su – weblogic
cd /d01/Weblogic/FMW/Oracle_IAM1/bin
./config.sh
Note : Instead ODSM, use LDAP Browser – http://jxplorer.org/downloads/users.html
cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/bin
nohup ./startManagedWebLogic.sh oim_server1 &
===>
C) OIM Administration –
1. Consoles :
A) OIM
1. Identity Self Service #All enterprise users(2000)
http://idm.luckyfusion.com:14000/oim or http://idm.luckyfusion.com:14000/identity
xelsysadm/Oracle123
2. Sysadmin Console #only System Administrator Role members are allowed to access this console
http://idm.luckyfusion.com:14000/sysadmin
xelsysadm/Oracle123
3. Design Console #Swing Based OIM Client
Configure :
xhost +
su – weblogic
cd /d01/Weblogic/FMW/wlserver_10.3/server/lib
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
java -jar wljarbuilder.jar
=> it will generate wlfullclient.jar file and that jar need to be copied to /d01/Weblogic/FMW/Oracle_IAM1/designconsole/ext
cp wlfullclient.jar /d01/Weblogic/FMW/Oracle_IAM1/designconsole/ext/
==
cd /d01/Weblogic/FMW/Oracle_IAM1/designconsole/
./xlclient.sh
B) SOA
1. BPM Worklist App Console #Nothing but OIM INBOX
http://idm.luckyfusion.com:8001/integration/worklistapp
2. SOA-INFRA Console #to observe deployed composites.
http://idm.luckyfusion.com:8001/soa-infra/
weblogic/Oracle123
3. SOA Composer Console #Modify Business Rule of Disconnected Resources(OIM)
http://idm.luckyfusion.com:8001/soa/composer
weblogic/Oracle123
2. LDAP Sync #only needed for SSO purposes.
Use case : HRMS(2000)===> {OIM(2000) <===> OID/OVD[2000]} <== OAM
What : All OIM Users, Roles, User membership to Roles, Role Hierarchy, New user registration will sync in to OID/OVD automatically.
How & Troubleshoot :
Login to sysadmin console => Click On IT Resource => “Directory Server”
3. Bulk Load Utility :
(Users, Roles, Role Categories, Role Membership, Role Hierarchy, Account)  from .csv or DB table.
su – weblogic
cd /d01/Weblogic/FMW/Oracle_IAM1/server/db/oim/oracle/Utilities/oimbulkload
prepare csv files
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
cd /d01/Weblogic/FMW/Oracle_IAM1/server/db/oim/oracle/Utilities/oimbulkload/scripts
./oim_blkld.sh
=> ORACLE_HOME : /u01/app/oracle/product/11.2.0/dbhome_1/
=> //idm.oraclefusion4all.com:1521/IDMDB11g
=> DEV_OIM
ROLE_CATEGORY_NAME
Q&A
Users ==> Trusted Recon, BLKLD
4. Create trusted app and target app # independent activity, in real time that is not expected.
A) OUD Instance 1(Trusted App – 2000 Users)
su – weblogic
cd /d01/Weblogic/FMW/Oracle_OUD1/
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
./oud-setup
#asinst_1
idm.oraclefusion4all.com
1389
cn=Directory Manager
Oracle123
dc=trusted,dc=com
Users : 2000
B) OUD Instance 2 (Target App – 0 User)
#asinst_2
idm.oraclefusion4all.com
2389
cn=Directory Manager
Oracle123
dc=target,dc=com
Users : 0
Checkpoint : Trusted and Target is there now for OIM.
Discussion on Connector Bundle and identity the right connector(ldap):
5. Install the right connector
http://idm.luckyfusion.com:14000/sysadmin
xelsysadm/Oracle123
Note : Make sure, before installation, copy the connector to ConnectorDefaultDirectory
Copy the connector bundle(OID-11.1.1.6.0) to  /d01/Weblogic/FMW/Oracle_IAM1/server/ConnectorDefaultDirectory
Manage Connector => Install => Select the connector and click on load and continue :
– Configuration of Connector Libraries
– Import of Connector XML Files (Using Deployment Manager)
– Compilation of Adapter Definitions
6. Create IT Resources (Connection object to target App[s] and trusted application)
http://idm.luckyfusion.com:14000/sysadmin
xelsysadm/Oracle123
IT Resource :
A) TrustedAppITRes
baseContexts : “dc=trusted,dc=com”
Configuration Lookup : Lookup.LDAP.OUD.Configuration.Trusted
Connector Server Name :
credentials : Oracle123
failover :
host : idm.oraclefusion4all.com
port : 1389
principal : cn=Directory Manager
ssl : false
B) TargetAppITRes
baseContexts : “dc=target,dc=com”
Configuration Lookup : Lookup.LDAP.OUD.Configuration
Connector Server Name :
credentials : Oracle123
failover :
host : idm.oraclefusion4all.com
port : 2389
principal : cn=Directory Manager
ssl : false
7. Trusted Reconciliation
pre-req : Install the right connector and create IT Resource to connect to trusted app i.e. HRMS System.
HR People : Create, Delete, Modify – Horizontal or vertical
http://idm.luckyfusion.com:14000/sysadmin
Scheduler => *trusted*
1. LDAP Connector Trusted User Reconciliation (TrustedAppITRes) #Create/Modify
2.  LDAP Connector Trusted User Delete Reconciliation (TrustedAppITRes) #Delete-3/Rogue User
8. Provisioning Configuration
Create/delete/modify/enable/disable
A) Idenity the target application, install the connector, create IT Resource
http://idm.luckyfusion.com:14000/sysadmin/
xelsysadm/Oracle123
B) Create Sandbox
C) Create Application Instance – Collection of Resource Object and IT Resource.
D) Create Object Form using Form Designer and create Application Instance.
E) Publish the sandbox
F) Create lookup configuration
Scheduler = “LDAP Connector OU Lookup Reconciliation”()
9. Direct Provisioning
Use Case :
Only System Administrator – Ad-hoc
10. Auto/Criteria Based provisioning
Use Case : Email Server
Use Case : Any User[s](Org – Finance and/or Country = US) ==> Target App[s]
Steps :
1. Create a Role
2. membership rule on top of the role
3. Create Access Policy(Combination of Role[s] and Resource[s])
Login to http://idm.luckyfusion.com:14000/sysadmin
xelsysadm/Oracle123
Access Policies => Create Access Policy
Note :  “Evaluate User Policies” Job runs after each 10 mins, so either wait or run it.
4. Observe the Auto/Criteria provisioning
11. Request Based Provisioning
e.g. Training
Entities :
1. Requester
2. Catalog Items
3. Beneficiary
4. Request level management = Beneficiary’s Management Line
5. Operational level Management = Catalog Item Approver’s Management Line
6. Route Slip – if any of the approver is not active then task will be assigned to weblogic for corrective actions.
SOA :  2 soa composites
1) Request level approval : Beneficiary’s Management Line
2) Operational Level Approval : Catalog Item Approver’s Management Line
OIM :
http://idm.luckyfusion.com:14000/sysadmin
Approval Policies =
Create 2 approval policies
note : based on each request type, create request level and operational level AP.
1) Request level approval :
2) Operational Level Approval
Life Cycle –
12. Auto provisioning with Request based provisioning
Use Case : User(US,Finance) => Unless Manager approves => OUD Target.
A) Modify the access policy – With Approval = Yes
B) Create 2 set of Approval Policies
request type : Access Policy Based Application Instance Provisioning.
Life Cycle :
13. Proxy :
Manager is on leave 15 days
Restriction :
A) No date overlap in multiple proxies
B) A proxy can not set another user as proxy for the specified dates.
14. Target Reconciliation #update process form associated with the account.
Update the process form with modified information of the target.
http://idm.luckyfusion.com:14000/sysadmin
Scheduler =:
“LDAP Connector User Search Reconciliation” – create/modify
“LDAP Connector User Search Delete Reconciliation” – delete
15. Disconnected Application Instance or Disconnected Resources
Use Case : H/W Devices, e.g. – Server Room Biometric Card
Combination of request based provisioning + Disconnected Workflow
Practical Steps :
A) Create Sandbox
B) Create Disconnected Application Instance
C) Modify the object form for additional attributes specific to H/W Device
D) Publish the sandbox
Optionally create 2 set of approval policies for request type “Provision to Application Instance”
E) Modify the business rule for Fulfillment user/role details using SOA Composer.
http://idm.luckyfusion.com:8001/soa/composer
weblogic/Oracle123
modify the business rule for disconnected composite.
Life Cycle of disconnected resource.
Entitlement Configuration :
Group, responsibility on target application.
==
On target app : Create groups
Step 1.
cd /stage/scripts
vi OUD_TargetEntitlement.ldif
dn: cn=Groups,dc=target,dc=com
cn: Groups
objectClass: top
objectClass: orclContainer
dn: cn=Accounts Payable Administrator,cn=Groups,dc=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
dn: cn=Accounts Payable User,cn=Groups,dc=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
dn: cn=BI Publisher Users,cn=Groups,dc=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
dn: cn=San Francisco Users,cn=Groups,dc=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
Step 2. Create groups in OUD, using LDIF file
cd /d01/Weblogic/FMW/asinst_2/OUD/bin
./ldapmodify -a -h idm.oraclefusion4all.com -p 2389 -D “cn=Directory Manager” -q -f /stage/scripts/OUD_TargetEntitlement.ldif
==
http://idm.luckyfusion.com:14000/sysadmin/
xelsysadm/Oracle123
Scheduler = “LDAP Connector Group Lookup Reconciliation[TargetAppITRes]”
Entitlement Assignments
Entitlement List
Entitlement Post Delete Processing Job
==
Oragnization Security :
==
Review System : after provisionig is done then after 3/6/9/12 months, you need to review access to critical resources – regulatory compliances.
A) Attestation – 9i
http://idm.luckyfusion.com:14000/sysadmin
xelsysadm/Oracle123
Attestation Configuration => Create Attestation process
Range of Users, having range of Resources(Roles and Resource Objects), schedule, reviewers, Process Owner.
Life Cycle : ?
B) Certification – 11gR2 PS1, PS2, …PS3
Features : Multi Phase Certification, Closed Looped Remediation(PS2, BP03), Offline Certification, Event Listeners etc.
Enable :
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
System Configuration => “Display Certification or Attestation”
Value : Attestation or Certification or Both
Restart only OIM and observe certification will be enabled.
Use Case :
1. Certifiers : Managers or any other user, Org Certifier, Catalog Item Level Certifier
2. Risk Level : High/Medium/Low
3. Cert Def – Cert_UserHavingFinanceorgCertDef
==
OIM Auditing :
How : http://docs.oracle.com/cd/E40329_01/admin.1112/e27149/img/component.gif
Level :
1. Process Task: Audits the entire user profile snapshot together with the resource lifecycle process.
2. Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource.
3. Resource: Audits the user record, role membership, and resource provisioning.
4. Membership: Only audits the user record and role membership.
5. Core: Only audits the user record.
6. None: No audit is stored.
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
System Configuration => “User profile audit data collection level – None/Core/Membership/Resource/Resource Form/Process Task”
==
OIM integration with BI Publisher :
Objective : Audit Reports => templates, data
OIM Node :
1) templates :
cd /d01/Weblogic/FMW/Oracle_IAM1/server/reports
ls
oim_product_BIP11gReports_11_1_2_2_0.zip
2) Copy the oim_product_BIP11gReports_11_1_2_2_0.zip to BI Publisher node
scp oim_product_BIP11gReports_11_1_2_2_0.zip weblogic@bi:/tmp
BI Publisher Node :
http://bi.raje.com:9704/xmlpserver/
weblogic/Oracle123
Catalog => There is no oim report templates are listed
1) Get the report templates
A) Unzip the reports zip file
unzip -d /d01/weblogic/FMW/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Reports/ /tmp/oim_product_BIP11gReports_11_1_2_2_0.zip
B) Run the job
http://bi.raje.com:9704/xmlpserver/
weblogic/Oracle123
Administration => Server Configuration
Note : Make sure “BI Publisher repository” points before Reports folder.
Click On “Upload to BI Presentation Catalog”
2) Populate report templates with data
http://bi.luckyfusion.com:9704/xmlpserver/
weblogic/Oracle123
Administration => JDBC Connection => Add Data Source
A) “OIM JDBC” => DEV_OIM
B) “BPEL JDBC” => DEV_SOAINFRA
=====================
Note : In case, data is not populated in the reports :
Run the job
http://bi.luckyfusion.com:9704/xmlpserver/
weblogic/Oracle123
Administration => Server Configuration
Note : Make sure “BI Publisher repository” points before Reports folder.
Click On “Upload to BI Presentation Catalog”

=====================
3) Observe the OIM Audit Reports with data
===
Code Migration:
1. Deployment Manager : Export/Import – .xml
2. Sandbox – Form Data , UDF Changes, UI Change – .zip
Notification Templates :
D) OAM Administration
==
HRMS(2000 – create/delete/modify) ==> OIM[2000] == OVD[OID] <= OAM


Thanks & Regards

Lakshmi Prasada Reddy Nandyala

Oracle Identity & Access Management 11gR2PS1 Installation & Configuration

 OIAM : Environment Setup

Environment Setup (OIAM) for 11g R2ps1:


1. Database Installation
2. Run RCU
3. Jrockit
4. Weblogic Server
5. SOA Installation
6. OIAM Installation
7. Weblogic Domain Creation
8. OIAM Configuration

*************************************************************

1. Database Installation

Copy the Database setup into the desktop or Stage Folder.

Set the Host file name: "/etc/hosts”

127.0.0.1       localhost.localdomain  localhost

192.168.x.xx   oiamserver

# Example 

192.168.1.100 oiam.luckyfusion.com oiam

Run the comand  ( Under Root User ) 

# yum install oracle-rdbms-server-11gR2-preinstall

# yum update ( Optional ) 

# groupadd -g 501 oinstall

# groupadd -g 502 dba

# groupadd -g 503 oper

# groupadd -g 504 asmadmin

# groupadd -g 506 asmdba

# groupadd -g 505 asmoper

# useradd -u 502 -g oinstall -G dba,asmdba,oper oracle

It will install all the required prerecruities.

Set the Password  for oracle

# passwd oracle

Login as the oracle user and add the following lines at the end of the ".bash_profile" file.(we can do this step after Jrockit Installation also)

Note : Don't Delete Previous Environment Variable  

# Oracle Environment Variables

TMP=/tmp; export TMP

TMPDIR=$TMP; export TMPDIR

ORACLE_HOSTNAME=oiam.luckyfusion.com; export ORACLE_HOSTNAME

ORACLE_UNQNAME=orcl; export ORACLE_UNQNAME

ORACLE_BASE=/home/oracle/app/oracle; export ORACLE_BASE

ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1; export ORACLE_HOME

ORACLE_SID=orcl; export ORACLE_SID

# Java Environment Variables 

JAVA_HOME=/home/oracle/jrockit-jdk1.6.0_37-R28.2.5-4.1.0; export JAVA_HOME

PATH=/usr/sbin:$PATH; export PATH

PATH=$JAVA_HOME/bin:$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH

CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

Install DB using Installer from setup file:

./runInstaller

-    Select Default to UNICODE when second screen of Installer appear.

-    Install any other using yum install unixODBC-* and ignore 386.

-    Next &gt.

-    (If it is giving issue to on finish than you need to install using root user one RPM. 

rpm –ivh pdksh-5.2.14-30.x86_64.rpm --nodeps)

NOTE-(Optional) in PASSWORD MANAGEMENT section... as per DBA advice uncheck all.

-Run two scripts(which will be present by default in the location, Second last screen of the setup) as per the instruction. 

-Done

Restart machine

Test : https://oiam.luckyfusion.com:1158/em

2. Jrockit 

./jrockit-jdk1.6.0_37-R28.2.5-4.1.0-linux-x64

Note- If any issue, please check the file permissions.

Restart machine

3. Run RCU

To start RCU RUN , Database should be UP & RUNNING. with ORACLE user

-------Steps to start DB--------

Go to /home/oracle/app/oracle/product/11.2.0/dbhome_1/bin

./lsnrctl (Start the listener)

lsnrctl> start

./sqlplus (Start Sqlplus)

SQL> sys as sysdba

SQL> startup

--------------------------------

rpm -ivh libXtst-xx.el6.i686.rpm

https://blogs.oracle.com/ecmarch/entry/how_to_run_rcu_on

SQL> alter system set open_cursors=3000 scope=both sid='*';

System altered.

SQL> alter system set processes=3000 scope=spfile sid='*';

System altered.

restart

--------------

1.  Unzip the file.

2.  rcuHome > rcu > bin > ./rcu

3.  (Done)

Restart machine

4. Weblogic Server Installation

Ø  Java –jar ./wls1036_generic.jar

Restart machine

5. SOA Installation

Unzip the both zip files (V29672-01_1of2.zip , V29672-01_2of2.zip) and run the installer

After successfully installation of SOA, apply some (4) patches

1.  p16385074_111160_Generic(1st)(Remember inside this patch there are two patches oapatch[SOA] and sa_opatch[Jdeveloper]. Please install oapatch only for OIAM setup. For any help please find README.txt inside patch )

2.  p13973356_111160_Generic(2nd)

3.  p14196234_111160_Generic(3rd)

4.  p16366204_111160_Generic(4th)

Run 

1         export ORACLE_HOME=/home/oracle/Oracle/Middleware/Oracle_SOA1

2         export PATH=/home/oracle/Oracle/Middleware/Oracle_SOA1/OPatch:$PATH

Unzip all the patches. Enter into the patch folder.

Apply the patches:

opatch lsinventory (to just check that how many patches applied)

opatch apply (Apply the patch)

Restart machine 

6. OIAM Installation

Unzip both the zip file and put it into one folder.

Disk1 > ./runInstaller (Run it)

(Ignore if any error coming)

After OIAM Installation apply the patches:

1.  p16513008_111210_Generic(1st) 

2.  p16472592_111160_Generic(2nd) (Remember inside this patch there are two patches oapatch[SOA] and sa_opatch[Jdeveloper]. Please install oapatch only for OIAM setup. For any help please find README.txt inside patch )

3.  p16400771_111160_Generic(3rd)

Apply Patch p16513008_111210_Generic (1st)    

           1.  export ORACLE_HOME=/home/oracle/Oracle/Middleware/Oracle_IDM1

           2.  export PATH=/home/oracle/Oracle/Middleware/Oracle_IDM1/OPatch:$PATH

        Unzip all the patches. Enter into the patch folder.

        Apply the patches:

        opatch lsinventory (to just check & Verify applied patches)

        opatch apply (Apply the patch)

Apply Patch p16472592_111160_Generic (2nd)    

           1.  export ORACLE_HOME=/home/oracle/Oracle/Middleware/ oracle_common

           2.  export PATH=/home/oracle/Oracle/Middleware/ oracle_common/OPatch:$PATH

        Unzip all the patches. Enter into the patch folder.

        Apply the patches:

        opatch lsinventory (to just check & Verify applied patches)

        opatch apply (Apply the patch)

Apply Patch p16400771_111160_Generic (3rd)   

           1. export ORACLE_HOME=/home/oracle/Oracle/Middleware/ oracle_common

           2.  export PATH=/home/oracle/Oracle/Middleware/ oracle_common/OPatch:$PATH

        Unzip all the patches. Enter into the patch folder.

        Apply the patches:

        opatch lsinventory (to just check & Verify applied patches)

        opatch apply (Apply the patch)

Restart machine

7. Weblogic Server DOMAIN CREATION 

Start the Oracle DB:

Goto : /home/oracle/app/oracle/product/11.1.2/db_1/bin

        ./lsnrctl

        Start

        Exit

        ./sqlplus

        User Name: sys as sysdba

        Password: welcome1

        Sql> startup

        Database UP & Running

Goto : /home/oracle/Oracle/Middleware/wlserver_10.3/common/bin

Run : ./Config.sh (Create New Domain)

Follow the Instruction.(Shuttle all the machine under the Admin server during this process.). Done. Restart the Machine

8. Additional Config

DB should be UP & Running.

Goto : /home/oracle

Run : /home/oracle/Oracle/Middleware/oracle_common/common/bin/wlst.sh /home/oracle/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /home/oracle/Oracle/Middleware/user_projects/domains/oim_domain -c IAM -p welcome1 -m create

Successful message.

Note- Where oim_domain is the OIAM domain name & welcome1 is the DB Password.

1.  Start WebLogic Server

2.  Start soa_server1 Managed Server.

Goto : /home/oracle/Oracle/Middleware/Oracle_IDM1/bin

Run : ./Config.sh

        On First Screen NEXT

        On Second Screen Select ALL(OIM Server, Design Console&Remote Manager)

        On Third Screen

               Connect String : localhost:1521:orcl

               OIM User Name  :       DEV_OIM

               OIM Password   :       welcome1

               MDS User Name  :       DEV_MDS

               MDS Password   :       welcome1

               NEXT

        On Fourth Screen

               WLS Admin URL  :       t3://localhost:7001

               User Name      :       weblogic

               Pasword        :       welcome1

        On Fifth Screen

               OIM Admin Passsword    :       Welcome1

               Deselect ENABLE LDAP SYNC

        On Sixth Screen

               OIM Server Host Name   :       oiamserver

               OIM Server port        :       14000

        On Seventh Screen

               Leave all detail as it is

        Configure > Done

        Start oim_server1 Manager Server

9. Test the Environment

OIM Environment Test :

http://192.168.x.xx:14000/identity  (OIM for User)

http://192.168.x.xx:14000/sysadmin  (OIM for Admin)

User- xelsysadm

Password- Welcome1

OAM Environment Test : 

http://192.168.x.xx:7001/oamconsole

userId- weblogic

Password- welcome1

INSTALLATION DONE….. 
 
 
-------------------------------------------------------------------------

Optional : Installation & Configure the Design Console(Local Windows)

 
Installation:
 
Extract both zip (V37472-01_1of2.zip , V37472-01_2of2.zip) files for OIM Setup into one folder.
Disk1 > Install > select ur platform and install it.
Done.
NOTE- We can install the design console (for OIAM) in any machine only you need to provide the details of the servers.
 
Configuration:
 
Goto : C:\Oracle\MiddlewareWLS\Oracle_IDM1\bin
Install/run- Double click on Config
 
        On Second Screen Select only OIM Design Console
        On Second Screen
               OIM Host Name- 192.168.x.xx
               OIM Post- 14000
        Configure & Done.
 
 


File Names-


Jroskit- jrockit-jdk1.6.0_37-R28.2.5-4.1.0-linux-x64

OIAM- V37472-01_1of2.zip
& V37472-01_2of2.zip

RCU- V37476-01.zip Queries 

RPM-     compat-libstdc++-33-3.2.3-69.el6.i686

                glibc-2.12-1.7.el6.i686

                libstdc++-4.4.4-13.el6.i686

                pdksh-5.2.14-30.x86_64

SOA- V29672-01_1of2.zip &
V29672-01_2of2.zip

WLS- wls1036_generic





------------------------------------------------------------------------------------





If you have any Queries Contact : lakshmiprasad.fusion@gmail.com

OIM : Pre Defined SOA Composites

OIM comes with pre-defined sets of composites for creating and managing requests. These SOA composites are deployed to the Oracle SOA Server and registered with Oracle Identity Manager by default. If you are creating any new SOA composites, or making changes to existing ones, you will need to redeploy your composites to the Oracle SOA Server and register the changed composite to the Oracle Identity Manager Server.

The source for all SOA composite workflows is available from the $ORACLE_OIM_HOME/server/workflows/composite directory.

S.NO	Composite Name	Description
1	AutoApproval	It is the request-level approval workflow or operational-level approval workflow chosen when no approval workflow is selected for a specific approval level in Oracle Identity Manager. This approval workflow approves the appropriate workflow automatically without requiring any human interaction.
2	BeneficiaryManagerApproval	It is used when approval is required from the beneficiary’s manager. Examples of such requests include provisioning resources or assigning roles to users.
3	DefaultOperationalApproval	It is the default approver for the operational-level approval workflow. By default, the approval workflow is assigned to the system administrator, xelsysadm, for operational-level approval.
4	DefaultRequestApproval	It is the default approver for the request-level approval workflow. By default, the approval workflow is assigned to the system administrator, xelsysadm, for request-level approval.
5	DefaultRoleApproval	It is the SOA composite that creates a task of an approval workflow and assigns the task to the system administrator, xelsysadm, for approval.
6	DefaultSODApproval	It is the SOA composite that creates a task of an approval workflow that is assigned to the system administrator and starts the Segregation of Duties (SoD) check. After the SoD result is available, the composite creates another approval task assigned to the SOD Administrators role. This task must be associated with requests to provision or modify resources at the operational level.
7	DisconnectedProvisioning	It is the SOA composite that creates a task of an approval workflow that is assigned to a request-level or operational-level approver. The approver is responsible for approving the provisioning of a disconnected resource to a user.
8	RoleAssignSODCheck	It is the SOA composite that creates a task of an approval workflow that is assigned to the system administrator and starts the SoD check. After the SoD result is available, the composite creates another approval task assigned to the SOD Administrators role. This task must be associated with requests to assign roles to users at the operational level.
9	RequesterManagerApproval	It is the SOA composite that creates a single approval task that is assigned to the requester’s manager for approval.
10	ResourceAdministratorApproval	It creates a single approval task that is assigned to resource administrators for approval. This task must be associated with requests related to resources.
11	ResourceAuthorizerApproval Thanks & Regards Lakshmi Prasada Reddy	It creates a single approval task that is assigned to resource authorizers, with highest priority, for approval. This task must be associated with resource related requests.

E-Business Suite R12 Server startup and Shutdown Steps

E-Business suite R12 Start Up 

Step 1: Login to Root User ::

#Connect to Oracle Database 

su - oradev

sqlplus / as sysdba

startup;

exit

lsnrctl start VIS

lsnrctl status VIS

and THEN

# Connect to ApplicationDevelopment scheme 

su - appldev

connect apps/apps

cd $ADMIN_SCRIPTS_HOME

./adstrtal.sh apps/apps@VIS

# ok this is startup procedure

Shut-down procedure 

su - appldev

 cd $ADMIN_SCRIPTS_HOME

./adstpall.sh apps/apps@VIS

su - oradev

lsnrctl stop VIS

sqlplus / as sysdba

shut immeidate;

exit

http://ebsdev.luckyfusion.com:8000/

    SYSADMIN/sysadmin

    MFG/welcome

    OPERATIONS/welcome

    SERVICES/welcome

    MRC/welcome

    HRMS/welcome

========================================================================

Thanks & Regards

Lakshmi Prasad Reddy Nandyala 

Per_Email :: nandyala@lakshmiprasad.co.in

Mobile No :: +91-9490059784

MS Active Directory Password Synchronization with Oracle Identity Manager

 Step 1:  Install Windows Server 2008 R2

               a. set Static IP address
               b. Disable Firewall
               c. Create a Domain (dcpromo  ) Eg : activedirectory.com

Step 2 :  Install Connector Server in Windows Server

Step 3 :  Install Active Directory User Management Connector in " OIM  " and Configure IT Resources

Step 4 :  Install Active Directory password Sync Connector in " Windows Server "

Step 5 : Goto Run Command type " regedit"  Search "ADConfig " or Path  HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ ADConfig

1. ADPersistentStore is OU in Active Directory that will store data for users whose password can’t be synced from AD to OIM for various reasons .
2. Change value of Log from N to Y , if you wish to enable logging in password synchronization 
3. LogPath represents directory in which logs are enabled (to enable logging set value of field Log to Y )

Step 6 : Goto Run Command type " regedit"  Search "OIMConfig " or Path  HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ OIMConfig

1.  OIMhost is hostname where OIM managed server is running  ( Ex : oim.luckyfusion.com )
2. OIMPort is port on OIM managed server  is running (Ex : 14000 )
3. To disable Password Synchronization connector, set value of Disabled to 1
4. AD will communicate to OIM server via SPML Web Service (WS) SOAPrequest over HTTP(S) like http(s)://oim.luckyfusion:14000/spmlws/OIMProvisioning for OIM on WebLogic Server (Make sure to deploy SPML-DSML application on OIM Managed Server and application is in ACTIVE state)

SPML-DSML Deployment Steps :

      Before you deploy the connector, deploy the SPML-DSML Service on the Oracle WebLogic Application Server on which Oracle Identity Manager is running:

1. Log in to the Oracle WebLogic Server Administration Console.
2. In the Change Center region, click Lock & Edit to enable modification to the settings on the page.
3. In the Domain Structure region, click Deployments.
4. On the right pane, click Install.
5. On the Locate deployment to install and prepare for deployment page, in the Path field, enter OIM_HOME\server\apps. For example,D:\my_install\middleware\Oracle_IDM1\server\apps.
6. In the region following the Current Location field, select spml-dsml.ear and then click Next.
7. On the Choose targeting style page, click Next to accept the default selection and proceed with installation.
8. On the Select deployment targets page, in the Available targets for spml-dsml region, select oim_server1 if Oracle Identity Manager is installed in a nonclustered environment. Otherwise, select oim_cluster.
9. Click Next.
10. On the Optional Settings page, in the Source accessibility region, select I will make the deployment accessible from the following location, and then click Next.
11. On the Review your choices and click Finish page, verify the data that you have provided, and then click Finish.
12. On the Settings for spml-dsml page, review the configuration information of the deployed SPML-DSML Service, and then click Save.
13. In the Change Center region, click Activate Changes for the changes to take effect.
14. On the left pane, in the Domain Structure region, click Deployments.
15. On the right pane, in the Deployments table, select spml-dsml, and then from the Start list, select Servicing all requests.
    The SPML-DSML Service is started.

  
Step 7 : Goto Run Command type " regedit"  Search "Install " or Path  HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ Install

Step 8 : Reconfigure the IT Resources 
            set the Allow Password Provisioning parameter to no

Step 9 : Configure SSL 

Step 10 : 

Oracle Identity Manager11gR2(PS1) Complete Installation Steps

1. Install Virtual Box

2. Windows Server 2008 R2

-->Set the Static Ip Adderess
-->Disable and Stop the services of Firewall
-->ComputerName not execeed more than 13 characters

2.1 Install Firefox Browser

3.     Install Database 11.2.1.2.0

      SQL> alter system set aq_tm_processes=1 scope=both;
alter system set db_cache_size=150994944 scope=both;
alter system set java_pool_size=125829120 scope=both;
alter system set shared_pool_size=183500800 scope=both;
alter system set open_cursors=1000 scope=both;
alter system set processes=1000 scope=spfile;
                        alter system set sessions=500 scope=spfile;
alter system set aq_tm_processes=2 scope=both;


       SQL> grant execute on DBMS_LOCK to PUBLIC;
Grant succeeded.
       SQL> grant execute on DBMS_JOB to PUBLIC;
Grant succeeded.


3.1  Install RCU 11.1.1.7

4. Java (1.6/1.7) or JRocket 1.6
(install location c:\java)


4.1  Weblogic 10.3.6

5. SOA 11.1.1.6
--Soa Patches n0:16366204

6. OIAM 11.1.2.1.0

7. Weblogic Configuration

8. OIAM configation

9. http://lucky.nandyala.com:14000/sysadmin

-->xelsysadm -->PASSWORD

http://lucky.nandyala.com:14000/identity
   
-->xelsysadm -->PASSWORD

10.   Configure Design Console

Go to ::   cd  <Middleware_Home>\wlserver_10.3\server\lib>  directory.

   

    java -jar <Middleware_Home>modules/com.bea.core.jarbuilder_1.5.0.0.jar

    This command generates the wlfullclient.jar file.

    Copy the wlfullclient.jar file to the <Oracle_IDM1>\designconsole\ext

   Copy the wlfullclient.jar file to the <Oracle_IDM1>\designconsole\lib


    Start the Design Console  <IDM_Home>\designconsole\> ( ./xlclient.cmd/sh) directory.

    Log in to the Design Console with your Oracle Identity Manager user name and password.



Lakshmi Prasada Reddy Nandyala
Email : info@lakshmiprasad.co.in
Mobile No: +91-9490059784




  

Oracle DB & JAVA Environment Variables

# Oracle Settings

TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_HOSTNAME=lucky.nandyala.com; export ORACLE_HOSTNAME
ORACLE_UNQNAME=DB11G; export ORACLE_UNQNAME
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME
ORACLE_SID=DB11G; export ORACLE_SID
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

-----------------------------------------------------------------------------------------

#Java Settings

JAVA_HOME=/usr/java/jdk1.6;export JAVA_HOME

PATH=%JAVA_HOME/bin:$PATH;export PATH

CLASSPATH=%JAVA_HOME/lib/tools.jar;export CLASSPATH

CLASSPATH=/usr/java/jre1.6/rt.jar;export CLASSPATH

OIM Custom Connector Development

Develop a Connector features: 

Create 

( Resource Object    +    Process definition   +   Form Designer    +    Provisioning Tasks  +   Java

Code(Jar)  +   Adapaters    +   IT Resources    +    Lookups   +    Schedulers    +   Password Policies

+ Rules   +     Recon Jobs   +  XYZ task  ) = Custom Connector.

 Thanks & Regards 

-------------------------

Lakshmi Prasada Reddy Nandyala

Email: nandyala@lakshmiprasad.co.in

Custom Approvals ( SOA Approvals )

Method for deploying Custom Approvals in Weblogic & OIM:

1. Create a Project (ApprProjectName, ApprProjectService, ApprProject.. using ANT command in oim machine.
2.  Open the .JWS/JPR project file from Jdeveloper. 
3. Edit Approval task flow using BPEL orchestration
4. Add custom java code for Complex approval process
5. Add human workflow in BPEL orchestration place.Deploy the Approval workflow in SOA and Weblogic
6. Once it is deployed, will stored with MDS(Meta Data Service)
7. Register the approval workflow in OIM Server..
8. Once it is loaded will be available for OIM.
9. Create a Approval Policy from approval Policy functionality in sysadmin 

 Thanks & Regards 

-------------------------

Lakshmi Prasada Reddy Nandyala

Email: nandyala@lakshmiprasad.co.in

Custom Schedulers in OIM

Method for deploying Custom Scheduler in Weblogic & OIM

1. Create a java file with reconciliation schedule job code
2. Need to develop a plug-in.xml to deploy into weblogic
3. Run Registration.xml command from cmd promt
4. Once it is deployed, will stored with MDS(Meta Data Service)
5. Once it is loaded will be available for OIM.
6. Create a schedule from Scheduler functionality in sysadmin

Thanks & Regards 

-------------------------

Lakshmi Prasada Reddy Nandyala

Email: nandyala@lakshmiprasad.co.in

Event Handlers in OIM

Event Handler is known as "Data Set"

11g feature only not there in 10g

Event handler is pre defined java code by Oracle, by default feature given with OIM installation for User ID and Password features only.

Method for deploying event handlers in Weblogic:

1. Create a java file with User Id generation code
2. Need to develop a plug-in.xml to deploy into weblogic
3. Run Registration.xml command from cmd promt
4. Once it is deployed, will stored with MDS(Meta Data Service)
5. Once it is loaded will be available for OIM. 

 Thanks & Regards 

-------------------------

Lakshmi Prasada Reddy Nandyala

Email: nandyala@lakshmiprasad.co.in

Custom Adapters & Rules in OIM

Custom Adapters: 

Pure Java – 3 types of Tasks

 (Functional Task{Java, Remote, Stored Procedures},

Utility Task{Utility, OIM API’s},

Logical Task) & Pre compiled Java program.

Pre-Populate rule Generator Adp:

( One form to another Form user fields population Ex: USR to UD_OIDUser)

Step1: fill the attribute values in user(USR) form.. pre-populated automatically to Process Form(UD_OIDUSER) before submitting target system. Note: There is no post Pre-Population operation supported by this adapter. Its one time Job.

Task Assignment Adp

 (Delegation time Ex: Manager can assign his task to another person when he is going on leave)

Process Task adp:

(Provisioning/Reconciliation time Ex: User provisioning to targets)

Entity Adp

(User ID/Password/Email/EmpCode id generation automatically Ex: First name: prasad Last Name: nandyala User id: prasad.nandyala & Email: prasad.nandyala@lakshmiprasad.co.in ) Supported Pre and Post operations (Insert, Update and Delete functions)

Rule-Generator Adp:

(User ID/Password/Email id generation automatically Ex: First name: prasad Last Name: lakshmi User id: prasad.lakshmi & Email: prasad.lakshmi@lakshmiprasad.co.in).. No Pre and Post operations – Only one time generation.

1. Custom Rules: Non Java

General Rule: If “User Type=Contractor” rule in Role and User membership

Pre-Populate Rule: ( One form to another Form user fields population Ex: USR to UD_OIDUser)

Task Assignment Rule: assigning your tasks to others(Delegated Administration)

Process Determination Rule: This rule would trigger with the Resource object at the time of process intiated. 

Thanks & Regards 

-------------------------

Lakshmi Prasada Reddy Nandyala

Email: nandyala@lakshmiprasad.co.in

Form Customization in OIM..

1.1: Object Form customization (Parent Form) -- Example: User Form(USR)

1.1.1: Open sysadmin --> Create Sandbox --> Form designer -- > Search User --> Add Field --> Save --> Export Sandbox -->Publish Sandbox --> Signout
Conclution: Prepared for Backend Process

1.1.2: Open identity Console--> Import Sandbox --> Create User --> Fill manadatory fields --> Click Customize button --> Place the attribute --> Save --> Publish Sandbox
Conclusion: Prepared for Front end(Framework)


1.2: Process Form Customization (child Form) -- Example: OID Form(UD_OID_USR)
1.2.1: Login to Design Console --> Form Designer --> Search OID User Form --> Create new Version select that version --> Add Custom field --> Add Pre Population logic if required--> Make Version Active

Conclution: Only one step process for Process Forms..

SSL Configuration for Tomcat Web Server By LuckySkills

1- Create Tomacat keystore in a path of your choice ( C:\store )

%JAVA_HOME%\bin\keytool -genkey -alias tomacat -keyalg RSA -keystore c:\stage\my.keystore

2- Create CSR :

%JAVA_HOME%\bin\keytool -certreq -keyalg RSA -alias tomcat -file c:\stage\certreq.csr -keystore c:\stage\my.keystore

3-request SSL certificate at C.A and use the C.S.R. Created in step2.

4- import Root and SSL certificate (Chain Certificate) :

keytool -import -alias root -keystore c:\stage\my.keystore -trustcacerts -file <filename of the chain certificate (full Path) >

keytool -import -alias root -keystore c:\stage\my.keystore -file <your certificate filename (full Path) >

5- change connectors in server.xml file in Tomacat:
commet-out the non ssl connector(port 0000 or 00) si it won't be used again.
and change the ssl connector ( and uncomment it if connected ) to

<Connector

protocol="HTTP/1.1"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\stage\my.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>

6- Done. test your URL with SSL.

Reconciliation Workflow and Triggering functionalities in OIM

Create User in Target--> Run Scheduler

Schedule--> Reconciliation Rule --> Resource Object --> Process Definition

Resource Object --> Object Reconciliation --> Reconciliation Fields + Recon Action Rules

Process Definition(complete Workflow) --> Resource + Form Designer + Recon Field Mappings + Tasks + Adapters + Jar's(Java Code) + Lookups(Recon) + IT Resource + xyz Functionality = User Reconciled in OIM.

Information updated to Reconciliation Table in Sysadmin as Events..

After Reconciliation --> send Notification using Email Definition..

Important Things in Recon:

1. Recon Rules
2. Recon Fields in Resource Object
3. Recon Action Rules
4. Updated to Reconciliation in sysadmin

Provisioning Workflow and Triggering functionalities in OIM

Create User in OIM --> Accounts + request Accounts

Account --> Application Instance --> Access Policy + Resource Object + Process Definition

Resource Object --> Password Policies + Process Det Rules + Events/Adpaters

Process Definition(complete Workflow) --> Resource + Form Designer + Tasks + Adapters + Jar's(Java Code) + Lookups + IT Resource + xyz Functionality = User Provisioned in Target

After Provision(Provisioned) --> send Notification using Email Definition