sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Thursday, 20 August 2015

OID Performance Tuning

OID Performance Tuning



Oracle Internet Directory is highly scalable and manageable in terms of performance tuning as per the hardware resources and high availability configurations.
In this blog I will explain the parameters which can improve the performance of OID.

1. Database Parameters:
                                Recommended values
sga_target,sga_max_size            upto 60-70% of the available
                                   RAM for database machine
db_cache_size                    upto 60-70% of the available 
                                   RAM for database machine
shared_pool_size                  500M
session_cached_cursors            100
processes                        500
pga_aggregate_target              1-4GB
job_queue_processes               1 or more
max_commit_propagation_delay       99 or lower


2. LDAP Server Attributes:
                                  Recommended values
orclmaxcc                        10 - Number of DB Connections 
                                   per Server Processes
orclserverprocs                   4 - Number of OID LDAP Server 
                                   Processes which should be 
                                   equal to the number of cpu 
                                   cores on the system
orclgeneratechangelog             0 - Disables change log 
                                   generation
orclldapconntimeout               60 - LDAP Connection Timeout
orclmatchdenabled                 0 - Enable MatchDN Processing



3. OID Authenticator Parameters:
    If you have configured Oracle Internet Directory Authenticator in myrealm to retrieve users from OID, following parameters can be changed to optimize the performance:
                                            
                                   Recommended values
Group Membership Searching         limited
Connection Pool Size              120
Connect Timeout                  120
Cache Size                       51200
Cache TTL                        300

4. jps-config Parameters

    If the weblogic server is reassociated to an OID and the application policies are stored in it, following parameters should be added in policystore.ldap serviceInstance in jps-config.xml to make the retrieval of policies faster by caching them.

    <property name="oracle.security.jps.policystore.rolemember.cache.type" value="STATIC"/>
    <property name="oracle.security.jps.policystore.rolemember.cache.strategy" value="NONE"/>
    <property name="oracle.security.jps.policystore.rolemember.cache.size" value="100"/>
    <property name="oracle.security.jps.policystore.policy.lazy.load.enable" value="true"/>
    <property name="oracle.security.jps.policystore.policy.cache.strategy" value="NONE"/>
    <property name="oracle.security.jps.policystore.policy.cache.size" value="1000000"/>
    <property name="oracle.security.jps.policystore.refresh.enable" value="true"/>
    <property name="oracle.security.jps.policystore.refresh.purge.timeout" value="43200000"/>
    <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="6000000"/>
    <property name="oracle.security.jps.policystore.rolemember.cache.warmup.enable" value="true"/>
    <property name="connection.pool.min.size" value="120"/>
    <property name="connection.pool.max.size" value="120"/>
    <property name="connection.pool.provider.type" value="IDM"/>
    <property name="connection.pool.timeout" value="300000"/>
    <property name="connection.pool.provider.type" value="5"/>

   OID and weblogic server restarts are required after modifying the above parameters. They can still be optimized depending on the availability of the hardware resources.
   Ref : http://docs.oracle.com/cd/E23943_01/core.1111/e10108/oid.htm

How to invoke secured JAX-WS web service from a standalone client

How to invoke secured JAX-WS web service from a standalone client


     
       In this post I will explain the procedure of invoking secured JAX-WS web service from a standalone java client. It explains the problems you may face during the process.
There are several ways by which you can invoke a secured web service. I will explain it in two ways here. In this example I have a sample web service which is protected by the policy : wss_saml_or_username_token_service_policy.
I will not get the desired response if I try to invoke the protected web service without providing a proper username token in the soap header.
In weblogic, you can attach policies to web services with the help of owsm. Following block shows the snippet to be present in the soap header in order to get the client asserted by the web service provider which is protected by wss_saml_or_username_token_service_policy policy :

<S:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-Kr9QjWbqpQgxYI4CDWNxCg22">
<wsse:Username>administrator</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Passw0rd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</S:Header>

The username in this case is 'administrator' and password is 'Passw0rd'

Here are the two ways in which you can add the above block in the header of the soap request on the client side :
1. First way is to add credentials in the RequestContext of the client port :

      List<CredentialProvider> credProviders =
          new ArrayList<CredentialProvider>();
      String username = "administrator";
      String password = "Passw0rd";
      CredentialProvider cp =
          new ClientUNTCredentialProvider(username.getBytes(),
                                          password.getBytes());
      credProviders.add(cp);
      Map<String, Object> requestContext =
          ((BindingProvider)sampleWebServicePort).getRequestContext();
      requestContext.put(BindingProvider.USERNAME_PROPERTY,username);
      requestContext.put(BindingProvider.PASSWORD_PROPERTY,password);
      sampleWebServicePort.callService();
   

2.  Second way is add to create the soap security header object which is to be added in the HandlerChain :

        try {
            CustomSOAPHandler sh = new CustomSOAPHandler();
            List<Handler> new_handlerChain = new ArrayList<Handler>();
            new_handlerChain.add(sh);
            ((BindingProvider)sampleWebServicePort).getBinding().setHandlerChain(new_handlerChain);
sampleWebServicePort.callService();
        } catch (Throwable e) {
            e.printStackTrace();
        }

Create a custom SOAPHandler class which will add the header in the soap request.
CustomSOAPHandler:


public class CustomSOAPHandler implements SOAPHandler<SOAPMessageContext> {

    private static final String AUTH_PREFIX = "wsse";
    private static final String AUTH_NS =
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
.
.
.


    public boolean handleMessage(SOAPMessageContext context) {

        try {
            SOAPEnvelope envelope =
                context.getMessage().getSOAPPart().getEnvelope();
            SOAPFactory soapFactory = SOAPFactory.newInstance();
            SOAPElement wsSecHeaderElm =
                soapFactory.createElement("Security", AUTH_PREFIX, AUTH_NS);
            Name wsSecHdrMustUnderstandAttr =
                soapFactory.createName("mustUnderstand", "S",
                                       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
            wsSecHeaderElm.addAttribute(wsSecHdrMustUnderstandAttr, "1");
            SOAPElement userNameTokenElm =
                soapFactory.createElement("UsernameToken", AUTH_PREFIX,
                                          AUTH_NS);
            Name userNameTokenIdName =
                soapFactory.createName("id", "wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
            userNameTokenElm.addAttribute(userNameTokenIdName,
                                          "UsernameToken-ORbTEPzNsEMDfzrI9sscVA22");
            SOAPElement userNameElm =
                soapFactory.createElement("Username", AUTH_PREFIX, AUTH_NS);
            userNameElm.addTextNode("administrator");
            SOAPElement passwdElm =
                soapFactory.createElement("Password", AUTH_PREFIX, AUTH_NS);
            Name passwdTypeAttr = soapFactory.createName("Type");
            passwdElm.addAttribute(passwdTypeAttr,
                                   "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
            passwdElm.addTextNode("Passw0rd");
            userNameTokenElm.addChildElement(userNameElm);
            userNameTokenElm.addChildElement(passwdElm);
            wsSecHeaderElm.addChildElement(userNameTokenElm);
            if (envelope.getHeader() == null) {
                SOAPHeader sh = envelope.addHeader();
                sh.addChildElement(wsSecHeaderElm);
            } else {
                SOAPHeader sh = envelope.getHeader();
                sh.addChildElement(wsSecHeaderElm);
            }
        } catch (Throwable e) {
            e.printStackTrace();
        }
        return true;
    }

In this method, we are creating the Security element in the header of the soap request and on the server side it gets asserted successfully.
If the credentials are proper, then your service will get executed else it will throw an exception saying that the username token cannot be validated.


The second way does not require any extra jars to be present in the classpath whereas in first way you will need to add some weblogic jars in classpath in order to get it working.
The problem with the second way is if you try to test it with the help of jdeveloper, you will get the following error :

Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Unable to add security token for identity, token uri =http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:197)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:125)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)

If you analyze the stack trace carefully, you will notice that in this case jdeveloper uses classes from jars (glassfish jars) which are not part of jdk. And that's why you get the strange exception. If you run the same code from eclipse or through command line with just jdk, it will work.

Thread analysis in weblogic on linux

Thread analysis in weblogic on linux



This blog will take you through a few Linux commands to get the process id and thread id of any executing thread in a process and find the piece of code which is responsible of high usage of cpu.

This will be useful in cases where you have long running transactions and want to know which part of the code is consuming more amount of cpu.
Follow the below steps :

1. Get the pid of the java process of weblogic server running on a Linux machine :
ps -ef | grep java

Copy id of the java process

2. Get the list of all the threads belonging to the above process :
top -H -p <pid>
top commands sorts the output in descending order of cpu utilization. The first thread utilizes the higher amount of cpu.
Copy id of the first thread

3. Login to weblogic server administration console :
Go to Home > Summary of Servers > (serverName) > Monitoring > Threads > Dump Thread Stacks.

4. Search the copied tid in the thread dump.
Following stack shows thread with tid 32606 is blocked with a fat lock. This stack is generated by the weblogic socket thread and is for the explanatory purpose only :

"ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'" id=24 idx=0x60 tid=32606 prio=5 alive, blocked, native_blocked, daemon
                -- Blocked trying to get lock: java/lang/String@0x86667f30[fat lock]
                at jrockit/vm/Threads.waitForUnblockSignal()V(Native Method)
                at jrockit/vm/Locks.fatLockBlockOrSpin(Locks.java:1411)[optimized]
                at jrockit/vm/Locks.lockFat(Locks.java:1512)[optimized]
                at jrockit/vm/Locks.monitorEnterSecondStageHard(Locks.java:1054)[optimized]
                at jrockit/vm/Locks.monitorEnterSecondStage(Locks.java:1005)[optimized]
                at jrockit/vm/Locks.monitorEnter(Locks.java:2179)[optimized]
                at weblogic/socket/EPollSocketMuxer.processSockets(EPollSocketMuxer.java:153)
                at weblogic/socket/SocketReaderRequest.run(SocketReaderRequest.java:29)
                at weblogic/socket/SocketReaderRequest.execute(SocketReaderRequest.java:42)
                at weblogic/kernel/ExecuteThread.execute(ExecuteThread.java:145)
                at weblogic/kernel/ExecuteThread.run(ExecuteThread.java:117)
                at jrockit/vm/RNI.c2java(JJJJJ)V(Native Method)
                -- end of trace
             
5. The stack corresponding to the tid is the piece of code where the cpu utilization is maximum.


This way you can find out the piece of code which is responsible for high cpu usage and replace it with an improved version. 

OIM 11.1.2.0.0 (11gR2) API - UserManager

OIM 11.1.2.0.0 (11gR2) API - UserManager


In this post, I will explain UserManager service API provided by Oracle Identity Manager 11.1.2.0.0 (11gR2). OIM API can be used to develop clients which can communicate with OIM to perform various operations on OIM objects.

OIM supports two ways by which clients can be developed. They are :
1.    oracle.iam.platform.OIMClient
2.    Thor.API.tcUtilityFactory

Thor.API.tcUtilityFactory API was supported in the previous versions of OIM and it is still provided in the latest releases. But oracle.iam.platform.OIMClient is recommneded by Oracle and it should be preferred over tcUtilityFactory as it provides more robust way to build clients.
Here I will give you a few code snippets which are used to connect to OIM server and perform operations on OIM objects.

  1. Setup
    • Copy <IDM_HOME>/server/client/oimclient.zip on local machine. Extract the zip file. The extracted folder contains conf, lib and oimclient.jar.
    • Add oimclient.jar and libraries from lib folder to the classpath of the client project. The project should have following jars in the classpath :
      • commons-logging.jar
      • spring.jar
      • oimclient.jar
      • jrf-api.jar
      • wlfullclient.jar
                              Generation of wlfullclient.jar is explained at this location :http://docs.oracle.com/cd/E12840_01/wls/docs103/client/jarbuilder.html
      • Make sure JDK 1.6 and ANT 1.7 are present in the classpath

    1. Initialize
      • Create OIMClient instance by preparing the environment:

      •         Hashtable<Object, Object> env = new Hashtable<Object, Object>();
                env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, "weblogic.jndi.WLInitialContextFactory");
                env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://localhost:14000");
                System.setProperty("java.security.auth.login.config", "/home/ganesh/com.gsk.oim/config/authwl.conf");
                System.setProperty("OIM.AppServerType", "wls");
                System.setProperty("APPSERVER_TYPE", "wls");
                OIMClient oimClient = new OIMClient(env);
         
    2. Login
      • Once OIMClient is instantiated, the instance is used to login by providing correct username and password. login() method throws LoginException if login is unsuccessful:

      •         oimClient.login("xelsysadm", "Welcome1".toCharArray(), env);
               
         
    3. Lookup UserManager Service
      • UserManager is the Service class which is mainly used to perform various User operations. It can be instantiated in the following manner:

      •         UserManager userManager = oimClient.getService(UserManager.class);
    On creation of userManager instance, we have an object which can connect and perform changes in OIM server. I will discuss a few basic scenarios which are widely used by OIM clients:

    • User Creation 
    As I said earlier, UserManager is the instance which is used to perform ,as the name suggests, User specific actions. To create a User, we must pass a oracle.iam.identity.usermgmt.vo.User object to UserManager's create method. It takes UserId and a HashMap of user attributes as input. Following code snippet shows User Creation:
       
          HashMap<String, Object> userAttributeValueMap = new HashMap<String, Object>();
            userAttributeValueMap.put("act_key", new Long(1));
            userAttributeValueMap.put("User Login", userId);
            userAttributeValueMap.put("First Name", "Ganesh");
            userAttributeValueMap.put("Last Name", "Kamble");
            userAttributeValueMap.put("Email", "ganesh.kamble@abc.com");
            userAttributeValueMap.put("usr_password", "P1ssword");
            userAttributeValueMap.put("Role", "OTHER");
            User user = new User("Ganesh", userAttributeValueMap);
            userManager.create(user);

       
        Here we have created a userAttributeValueMap which stores mandatory attributes required for User Creation through OIM API. User object is created using an Unique Id and the HashMap. We pass this User object to UserManager.create(user) method. It returns UserManagerResult. We can verify the status by using UserManagerResult.getStatus() method. 

    • User Retrieval
        To retrieve the details of a user, UserManager provides several methods named getDetails() distinguished by the input parameters. I will take a method which takes input as userid, a set of attributes which are to be returned for each user and a boolean flag specifying whether the userid is the user login. If blank Set is given in the input, the method returns all the attributes of the User.

            Set<String> resAttrs = new HashSet<String>();
            User user = userManager.getDetails("Ganesh", resAttrs, true); 


    • User Update
         UserManager provides methods named modify to update User details in OIM. I will talk about the method which takes User Object as input. In the following code snippet, I have retrieved a User with the loginId "Ganesh" and updated it with the changed user attributes
       
           Set<String> resAttrs = new HashSet<String>();
            User retrievedUser = userManager.getDetails("Ganesh", resAttrs, true);

            HashMap<String, Object> userAttributeValueMap = new HashMap<String, Object>();
            userAttributeValueMap.put("act_key", new Long(1));
            userAttributeValueMap.put("User Login", userId);
            userAttributeValueMap.put("First Name", "Ganesh");
            userAttributeValueMap.put("Last Name", "Kamble");
            userAttributeValueMap.put("Email", "ganesh.kamble@xyz.com");
            userAttributeValueMap.put("usr_password", "P@ssword");
            userAttributeValueMap.put("Role", "Other");

            User user = new User((String) retrievedUser.getAttribute("User Login"), userAttributeValueMap);
            userManager.modify(user); 


    • User Search
    OIM provides the support to search Users based on a particular criteria. We build a SearchCriteria based on which the Users need to be inquired, pass the SearchCriteria instance to UserManager.search() method as shown below:
       
           SearchCriteria searchCriteria = new SearchCriteria("Email", "ganesh.kamble@xyz.com", SearchCriteria.Operator.EQUAL);
            Set<String> attrNames = null;
            HashMap<String, Object> mapParams = new HashMap<String, Object>();
            mapParams.put("STARTROW", 0);
            mapParams.put("ENDROW", 1);
            List<User> users = null;
            users = userManager.search(searchCriteria, attrNames, mapParams);

       
         Here I have prepared a SearchCriteria which indicates the Email of the User should be EQUAL to ganesh.kamble@xyz.com. mapParams are the ConfigurationParameters which provides the functionality of more granular search. They can be STARTROW, ENDROW, SORTEDBY and SORTORDER. Here I have used STARTROW and ENDROW which indicates which subset of the complete result should be fetched. SORTEDBY sorts the result by User Login by default. It can be changed to the desired attribute. SORTEDORDER can be SortOrder.DESCENDING or SortOrder.ASCENDING latter being the default.

    • Lock/Unlock User Account
    The following methods locks/unlocks a particular user account.
                     userManager.lock(userId, true, true);

                        Here first parameter is the id of the user to be locked. Second parameter indicates whether its a manual lock (true) or system lock (false). And third parameter indicates whether the userId is the UserLogin Id.

                    userManager.unlock(userId, true);

                        Here first parameter is the id of the user to be locked. Second parameter is true if the userId is the UserLogin id.



        In this post, I have tried to cover some basic user operations on User entity. Each of the above operation comes in different flavours. You can find the entire set of OIM API at location : http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/toc.htm . The detailed information on how to use the API is explained at this location : http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/apis.htm#BCFGCGHI .

        The set of attributes which OIM understands is given below. These attributes can be passed in the HashMap as an input. Also when you inquire the user, these attributes will be returned.

        [ FA Territory, Employee Number, Middle Name, Manually Locked, usr_disabled, Display Name, LDAP Organization, usr_locked, Currency, Time Format, usr_created, usr_deprovisioning_date, Full Name, Country, Accessibility Mode, usr_pwd_expire_date, usr_pwd_cant_change, Email, usr_data_level, Automatically Delete On, Locked On, usr_login_attempts_ctr, Last Name, First Name, Locality Name, usr_policy_update, Street, Embedded Help, Department Number, usr_createby, usr_pwd_warned, Manager Login, Telephone Number, Manager First Name, usr_updateby, Home Phone, LDAP Organization Unit, usr_pwd_min_age_date, User Login, Title, Role, FA Language, Password Generated, usr_provisioning_date, usr_pwd_warn_date, Organization Name, usr_locale, usr_update, Date Format, usr_timezone, Mobile, usr_pwd_reset_attempts_ctr, End Date, Pager, usr_deprovisioned_date, Color Contrast, PO Box, usr_create, LDAP GUID, Xellerate Type, usr_change_pwd_at_next_logon, usr_provisioned_date, Common Name, Start Date, usr_manager_key, Number Format, usr_pwd_expired, Hire Date, User Name Preferred Language, Home Postal Address, Font Size, Manager Last Name, Description, Fax, Postal Code, act_key, usr_key, Common Name Generated, Status, Generation Qualifier, Postal Address, State, Manager Display Name, usr_pwd_never_expires, Initials, usr_pwd_must_change, LDAP DN ]

    Wednesday, 19 August 2015

    Oracle Identity & Access Management Domain Environment Setup

    Oracle Identity & Access Management Domain Environment Setup 

    Environment :  VirtualBox – OEL 6.5 + Docs to configure.
     70 GB HDD – 16GB RAM – i3 2nd Gen Processor
    2 users – oracle, weblogic
    /stage – all products unzipped
    /d01 – empty, install all IDM products
    /u01 – empty, install only DB
    Pre-req : https://www.youtube.com/watch?v=sbVIEQgrU2k
    Oracle Identity And Access Management 11.1.2.2
    A) Installation : 10+ products 3-4 days  #Bible for installation is certification matrix
    Right Version, how to install?
    1. DB 11.2.0.1- Install, Create, Tune and create listener
    A) Install the DB
    #xhost + #enale the x session
    su – oracle
    cd /stage/database
    ./runInstaller
    B) Create the DB
    #xhost + #enale the x session
    su – oracle
    dbca
    C) Create Listener
    #xhost + #enale the x session
    su – oracle
    netca
    D) Tune the DB – 4 parameters are mandatory
    1. open_cursors : 1000
    2. processes : 1000
    3. sessions : 1000+
    4. DB Character Set : AL32UTF8
    SQL> alter system set open_cursors=1500 scope=spfile;  #
    2 docs : performance tuning docs for OIM/OAM – N/W, OS, DB, ApplicationServer, OIM/OAM
    Checkpoint : DB is ready for RCU
    2. RCU 11.1.2.1 #sys/Oracle123
    Pre-req : DB + Listener must be up and running.
    -> RCU creates DB schemas for FMW products
    -> Schema is a DB User or its a collection of DB Objects(table, Seq, SP, Func, etc..)
    #xhost +
    su – oracle
    cd /stage/rcu11.1.2.2/rcuHome/bin/
    ./rcu
    Select 3 Components :
    OID : ODS – ODSSM(ODSM)
    OIM : DEV_OIM, DEV_MDS, DEV_OPSS, DEV_SOAINFRA, DEV_ORASDPM
    OAM : DEV_OAM, DEV_IAU
    Checkpoint : DB is ready with all schema and can be integrated with OIM/OAM …
    3. weblogic 10.3.6(wls1036_generic.jar – 32bit JDK -Sun JDK, Jorockt JDK, Limitation – 4 GB of JVM Heap Size) using
    custom JDK 1.6 update35+(64 bit JDK – Sun, Jrockt, 32 GB JVM Heap Size)
    #xhost
    su – weblogic
    cd /stage
    export JAVA_HOME=/stage/jdk1.6.0_35/
    export PATH=$JAVA_HOME/bin:$PATH
    java -version
    which java
    java -jar wls1036_generic.jar
    4. SOA SUite 11.1.1.7
    #xhost
    su – weblogic
    cd /stage/soa11.1.1.7/Disk1
    ./runInstaller
    /stage/jdk1.6.0_35/
    oracle_common : reference of all products.
    Oracle_SOA1
    Oracle BPEL PM, Mediator, Rules, B2B, Human Workflow
    Oracle Business Activity Monitoring (BAM)
    Oracle Enterprise Manager
    Install 11 interim Patches on SOA SUite, required for OIM
    Note : the patches bundle will be available in iamSuite.
    cd /stage/iamSuite11.1.2.2/Disk1
    ls OIM_11.1.2.2_SOAPS6_PREREQS.zip
    mkdir -p /stage/SOA_INTERIM_PATCHES
    unzip -d /stage/SOA_INTERIM_PATCHES OIM_11.1.2.2_SOAPS6_PREREQS.zip
    cd /stage/SOA_INTERIM_PATCHES/SOAPATCH
    export ORACLE_HOME=/d01/Weblogic/FMW/Oracle_SOA1/
    export PATH=$ORACLE_HOME/OPatch:$PATH
    opatch lsinventory
    opatch napply
    opatch lsinventory
    5. IDM SUite (OID/OVD/ODSM) 11.1.1.7
    #xhost
    su – weblogic
    cd /stage/idmSuite11.1.1.7/Disk1
    ./runInstaller
    Oracle_IDM1
    Oracle Internet Directory : Built in C Language, LDAP Server/Directory Server
    Oracle Directory Integration Platform : AD <=> OID –  Ebiz, OAM – AD, OID, OUD
    Oracle Virtual Directory : LDAP Server, Virtualization, Holistic view of data, it never stores data.
    Oracle Identity Federation : (FB(ABC Ent- 1,2,3,4..) => ABC Ent(1,2,3,4..))
    Oracle HTTP Server : Internally used by OIF and OVD.
    Oracle Directory Service Manager : J2EE app to monitor and work on OID/OVD.
    Enterprise Manager : Control the OID/OVD.
    6. IAMSuite (OIM/OAM) 11.1.2.2
    #xhost
    su – weblogic
    cd /stage/iamSuite11.1.2.2/Disk1
    ./runInstaller
    /stage/jdk1.6.0_35
    Oracle_IAM1
    Oracle Identity Manager Server : J2EE
    Oracle Identity Manager Design Console : Swing based OIM Client
    Oracle Identity Manager Remote Manager : Legacy apps, which doesnot support any protocol, this component need to be installed there.
    Oracle Access Manager : SSO, Course Grain AuthZ
    Oracle Identity Navigator : part of OPAM
    Oracle Adaptive Access Manager : Bharosa, banking, Virtual Keyboard, OTP, Device/IP fingerprinting.
    Oracle Access Management Mobile and Social : Mobile(ios, android), social(FB, TW, LI, google..)
    Oracle Privileged Account Manager : OPAM+OIN, Shared password management utility(DBA, system admins)
    Oracle Entitlement Server : Fine Grained AuthZ, Embedded in OIM.
    Oracle Security Solutions:
    A) Identity Governance Suite
    OIM+(OES), OIA, OPAM+OIN
    B) Access Management Suite
    OAM, OIF, OAAM, eSSO
    C) Directory Services Suite
    OID, ODSEE, OVD, OUD
    D) DB Security
    Core DBA
    E) Cloud Security
    SOA 12c
    7. OHS 11.1.1.6/7 #supported webservers for OAM – Apache, iPlanet, IHS, OTD, IIS.
    #xhost
    su – weblogic
    cd /stage/ohs11.1.1.6/Disk1
    ./runInstaller
    Oracle_WT1
    Oracle Process Manager Notification (OPMN)
    Oracle HTTP Server (OHS)
    Oracle Web Cache #not applicable on OAM.
    DB <= ApplicationServer <= webserver(static contents from file system)+WebCache(static Contents from cache) <=End User
    OBE Webgate Link : http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/web_cache/11g/r1/wc_ohs/wc_ohs.htm
    Note : Can call it WebTier, OHS Server, Webserver
    8. Webgate 11.1.2.2 #Webgates are specific respective webservers,this OHS server Webgate
    #xhost
    su – weblogic
    cd /stage/webgate11.1.2.2/Disk1/
    ./runInstaller
    /stage/jdk1.6.0_35/
    Oracle_OAMWebGate11gR2
    Note : the Webserver and the respective agent must be in same host and same MW_HOME.
    9. OUD 11.1.2.2 (OID-[DB,Replication Tooplogy], ODSEE[applicationServer,UserBase is larger than OID], OVD[DB, WS, LDAP Servers], OUD[Standalone J2EE application, Replication Topology, 1 Billion User Entries, Supports Virtual Profiles(OVD) for DB, LDAP Servers, WS])
    #xhost
    su – weblogic
    cd /stage/OUD_11.1.2/Disk1/
    ./runInstaller
    10. OBIEE – BI Publisher(reporting) #Doc with snapshot
    #xhost
    su – weblogic
    cd /stage/*/Disk1
    ./runInstaller
    Cluster :
    =========
    2 node cluster setup
    Node 1- Node 2
    1. All versions must be same.
    2. All directory structure, ORACLE_HOME names must be same.
    3. TimeStamp must be same on both the nodes. (NTP Server – Time Server , in all nodes, the time is sync from this time server. )
    B) Configuration & Integration Phase 2 days
    Pre-req : DB and Listener must be started
    1. IDMDomain(ODSM) + OID and OVD Instance
    #xhost +
    #su – weblogic
    cd /d01/Weblogic/FMW/Oracle_IDM1/bin
    ./config.sh
    A) Create a domain – IDMDomain(AS, wls_ods1[ODSM]) + oid_ovd_instance1 #Node1 – clustered
    B) Extend the existing domain – Add Ons – ODIP, OIF
    C) Expand Cluster – In  a cluster environment, this option need to be selected on node2
    D) Configure without a domain. – oid_ovd_instance1
    Note : for port customization of OID/OVD/AS/MS – go to => /stage/idmSuite11.1.1.7/Disk1/stage/Response – staticports.ini , copy it to some other location and modify.
    2. Work on ODSM – OID/OVD
    How to start the OID/OVD/ODSM Stack :
    1. start the DB + Listener
    #su – oracle
    . oraenv
    IDMDB11g
    sqlplus ‘/as sysdba’
    SQL> startup
    SQL> exit
    lsnrctl start LISTENER
    exit #logout as oracle
    su – weblogic
    cd /d01/Weblogic/FMW/oid_ovd_instance1/bin
    ./opmnctl startall/stopall/status/ status -l/ stopproc/startproc ias-component=oid1/ovd1/EMAGENT
    #start the AdminServer and ManagedServer
    #create boot.properties files , is a one time activity
    cd /d01/Weblogic/FMW/user_projects/domains/IDMDomain/servers/AdminServer/security
    vi boot.properties
    username=weblogic
    password=Oracle123
    cd /d01/Weblogic/FMW/user_projects/domains/IDMDomain/servers/wls_ods1/security
    vi boot.properties
    username=weblogic
    password=Oracle123
    cd /d01/Weblogic/FMW/user_projects/domains/IDMDomain/bin/
    nohup ./startWebLogic.sh &
    tail -f nohup.out
    nohup ./startManagedWebLogic.sh wls_ods1 &
    tail -f nohup.out
    Alternatively ManagedServers can also be started using Node Manager, FOR THAT start the NodeManager
    cd /d01/Weblogic/FMW/wlserver_10.3/server/bin
    nohup ./startNodeManager.sh &
    Note : Machine status must be reachable, the you can start ManagedServers.
    #server states : http://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/overview_lifecycle.html
    3. using ODSM – create adapter in OVD
    4. Extend the OID[OUD,AD, ODSEE] Schema – attributes, object classes
    A) Extend the OID schema for OIM and OAM
    su – weblogic
    mkdir -p /stage/scripts
    cd /stage/scripts
    vi extend.props #OID Specific
    IDSTORE_HOST : idm.oraclefusion4all.com
    IDSTORE_PORT :3060
    IDSTORE_BINDDN: cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=oid,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
    IDSTORE_SEARCHBASE: dc=oid,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
    export MW_HOME=/d01/Weblogic/FMW/
    export JAVA_HOME=/stage/jdk1.6.0_35
    export PATH=$JAVA_HOME/bin:$PATH
    export ORACLE_HOME=/d01/Weblogic/FMW/Oracle_IAM1
    export IDM_HOME=/d01/Weblogic/FMW/Oracle_IDM1
    cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
    ./idmConfigTool.sh -preConfigIDStore input_file=/stage/scripts/extend.props
    B) Create OIM Specific user/group schema in OID #xelsysadm/Oracle123
    cd /stage/scripts
    vi oim.props
    IDSTORE_HOST : idm.oraclefusion4all.com
    IDSTORE_PORT : 3060
    IDSTORE_BINDDN : cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE:cn=Users,dc=oid,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
    IDSTORE_SEARCHBASE: dc=oid,dc=com
    POLICYSTORE_SHARES_IDSTORE: true
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
    IDSTORE_OIMADMINUSER: oimadmin
    IDSTORE_OIMADMINGROUP:OIMAdministrators
    cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
    ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=/stage/scripts/oim.props
    C) Create OAM Specific user/group schema in OID #oamadmin/Oracle123
    vi  /stage/scripts/preconfigOAMPropertyFile.rsp
    IDSTORE_HOST : idm.oraclefusion4all.com
    IDSTORE_PORT : 3060
    IDSTORE_BINDDN : cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=oid,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
    IDSTORE_SEARCHBASE: dc=oid,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
    POLICYSTORE_SHARES_IDSTORE: true
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
    IDSTORE_OAMSOFTWAREUSER:oamLDAP
    IDSTORE_OAMADMINUSER:oamadmin
    cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
    ./idmConfigTool.sh -prepareIDStore mode=OAM input_file=/stage/scripts/preconfigOAMPropertyFile.rsp
    Checkpoint : OID can be integrated via OVD with OIM and OAM.
    5. IAMDomain(AdminServer, oim_server1 , oam_server1, soa_server1)
    pre-req : DB + Listener
    #xhost +
    su – weblogic
    cd /d01/Weblogic/FMW/oracle_common/common/bin
    ./config.sh
    OIM/OAM #soa_server1 will be selected will be selected automatically.
    Note : Never ever try to start AdminServer and ManagedServers. #AS/MS ==> OPSS(Nothing) ==> Fail.
    6. Upgrade the OPSS schema #specific to PS2 11.1.2.2
    su – weblogic
    cd /d01/Weblogic/FMW/oracle_common/bin
    ./psa
    7. Create DB Security
    Checkpoint : Now we can start AdminServer and ManagedServers.
    cd /d01/Weblogic/FMW/oracle_common/common/bin
    ./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/configureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c IAM -m create -p <OPSS Schema Password>
    AS/MS ==> OPSS(Internal Audit Store + Credential Store) ==> Success.
    Troubleshoot : Validate the DB Security Store : ./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/configureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c IAM -m validate
    Checkpoint : Now AdminServer and ManagedServers of IAM can be started.
    Create boot.properties files for IAMDomain.
    mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/AdminServer/security
    mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/soa_server1/security
    mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/oim_server1/security
    mkdir -p /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/oam_server1/security
    cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/servers/AdminServer/security
    vi boot.properties
    username=weblogic
    password=Oracle123
    copy the file to all managedservers security folders.
    8. Start Servers(DB, Listener, oid_ovd_instance1, AdminServer, soa_server1) – server life cycle
    cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/bin
    nohup ./startWebLogic.sh &
    nohup ./startManagedWebLogic.sh soa_server1 &
    9. configure the OIM – LDAP Sync
    su – weblogic
    cd /d01/Weblogic/FMW/Oracle_IAM1/bin
    ./config.sh
    Note : Instead ODSM, use LDAP Browser – http://jxplorer.org/downloads/users.html
    cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/bin
    nohup ./startManagedWebLogic.sh oim_server1 &
    ===>
    C) OIM Administration –
    1. Consoles :
    A) OIM
    1. Identity Self Service #All enterprise users(2000)
    http://idm.luckyfusion.com:14000/oim or http://idm.luckyfusion.com:14000/identity
    xelsysadm/Oracle123
    2. Sysadmin Console #only System Administrator Role members are allowed to access this console
    http://idm.luckyfusion.com:14000/sysadmin
    xelsysadm/Oracle123
    3. Design Console #Swing Based OIM Client
    Configure :
    xhost +
    su – weblogic
    cd /d01/Weblogic/FMW/wlserver_10.3/server/lib
    export JAVA_HOME=/stage/jdk1.6.0_35/
    export PATH=$JAVA_HOME/bin:$PATH
    java -jar wljarbuilder.jar
    => it will generate wlfullclient.jar file and that jar need to be copied to /d01/Weblogic/FMW/Oracle_IAM1/designconsole/ext
    cp wlfullclient.jar /d01/Weblogic/FMW/Oracle_IAM1/designconsole/ext/
    ==
    cd /d01/Weblogic/FMW/Oracle_IAM1/designconsole/
    ./xlclient.sh
    B) SOA
    1. BPM Worklist App Console #Nothing but OIM INBOX
    http://idm.luckyfusion.com:8001/integration/worklistapp
    2. SOA-INFRA Console #to observe deployed composites.
    http://idm.luckyfusion.com:8001/soa-infra/
    weblogic/Oracle123
    3. SOA Composer Console #Modify Business Rule of Disconnected Resources(OIM)
    http://idm.luckyfusion.com:8001/soa/composer
    weblogic/Oracle123
    2. LDAP Sync #only needed for SSO purposes.
    Use case : HRMS(2000)===> {OIM(2000) <===> OID/OVD[2000]} <== OAM
    What : All OIM Users, Roles, User membership to Roles, Role Hierarchy, New user registration will sync in to OID/OVD automatically.
    How & Troubleshoot :
    Login to sysadmin console => Click On IT Resource => “Directory Server”
    3. Bulk Load Utility :
    (Users, Roles, Role Categories, Role Membership, Role Hierarchy, Account)  from .csv or DB table.
    su – weblogic
    cd /d01/Weblogic/FMW/Oracle_IAM1/server/db/oim/oracle/Utilities/oimbulkload
    prepare csv files
    export JAVA_HOME=/stage/jdk1.6.0_35/
    export PATH=$JAVA_HOME/bin:$PATH
    cd /d01/Weblogic/FMW/Oracle_IAM1/server/db/oim/oracle/Utilities/oimbulkload/scripts
    ./oim_blkld.sh
    => ORACLE_HOME : /u01/app/oracle/product/11.2.0/dbhome_1/
    => //idm.oraclefusion4all.com:1521/IDMDB11g
    => DEV_OIM
    ROLE_CATEGORY_NAME
    Q&A
    Users ==> Trusted Recon, BLKLD
    4. Create trusted app and target app # independent activity, in real time that is not expected.
    A) OUD Instance 1(Trusted App – 2000 Users)
    su – weblogic
    cd /d01/Weblogic/FMW/Oracle_OUD1/
    export JAVA_HOME=/stage/jdk1.6.0_35/
    export PATH=$JAVA_HOME/bin:$PATH
    ./oud-setup
    #asinst_1
    idm.oraclefusion4all.com
    1389
    cn=Directory Manager
    Oracle123
    dc=trusted,dc=com
    Users : 2000
    B) OUD Instance 2 (Target App – 0 User)
    #asinst_2
    idm.oraclefusion4all.com
    2389
    cn=Directory Manager
    Oracle123
    dc=target,dc=com
    Users : 0
    Checkpoint : Trusted and Target is there now for OIM.
    Discussion on Connector Bundle and identity the right connector(ldap):
    5. Install the right connector
    http://idm.luckyfusion.com:14000/sysadmin
    xelsysadm/Oracle123
    Note : Make sure, before installation, copy the connector to ConnectorDefaultDirectory
    Copy the connector bundle(OID-11.1.1.6.0) to  /d01/Weblogic/FMW/Oracle_IAM1/server/ConnectorDefaultDirectory
    Manage Connector => Install => Select the connector and click on load and continue :
    – Configuration of Connector Libraries
    – Import of Connector XML Files (Using Deployment Manager)
    – Compilation of Adapter Definitions
    6. Create IT Resources (Connection object to target App[s] and trusted application)
    http://idm.luckyfusion.com:14000/sysadmin
    xelsysadm/Oracle123
    IT Resource :
    A) TrustedAppITRes
    baseContexts : “dc=trusted,dc=com”
    Configuration Lookup : Lookup.LDAP.OUD.Configuration.Trusted
    Connector Server Name :
    credentials : Oracle123
    failover :
    host : idm.oraclefusion4all.com
    port : 1389
    principal : cn=Directory Manager
    ssl : false
    B) TargetAppITRes
    baseContexts : “dc=target,dc=com”
    Configuration Lookup : Lookup.LDAP.OUD.Configuration
    Connector Server Name :
    credentials : Oracle123
    failover :
    host : idm.oraclefusion4all.com
    port : 2389
    principal : cn=Directory Manager
    ssl : false
    7. Trusted Reconciliation
    pre-req : Install the right connector and create IT Resource to connect to trusted app i.e. HRMS System.
    HR People : Create, Delete, Modify – Horizontal or vertical
    http://idm.luckyfusion.com:14000/sysadmin
    Scheduler => *trusted*
    1. LDAP Connector Trusted User Reconciliation (TrustedAppITRes) #Create/Modify
    2.  LDAP Connector Trusted User Delete Reconciliation (TrustedAppITRes) #Delete-3/Rogue User
    8. Provisioning Configuration
    Create/delete/modify/enable/disable
    A) Idenity the target application, install the connector, create IT Resource
    http://idm.luckyfusion.com:14000/sysadmin/
    xelsysadm/Oracle123
    B) Create Sandbox
    C) Create Application Instance – Collection of Resource Object and IT Resource.
    D) Create Object Form using Form Designer and create Application Instance.
    E) Publish the sandbox
    F) Create lookup configuration
    Scheduler = “LDAP Connector OU Lookup Reconciliation”()
    9. Direct Provisioning
    Use Case :
    Only System Administrator – Ad-hoc
    10. Auto/Criteria Based provisioning
    Use Case : Email Server
    Use Case : Any User[s](Org – Finance and/or Country = US) ==> Target App[s]
    Steps :
    1. Create a Role
    2. membership rule on top of the role
    3. Create Access Policy(Combination of Role[s] and Resource[s])
    Login to http://idm.luckyfusion.com:14000/sysadmin
    xelsysadm/Oracle123
    Access Policies => Create Access Policy
    Note :  “Evaluate User Policies” Job runs after each 10 mins, so either wait or run it.
    4. Observe the Auto/Criteria provisioning
    11. Request Based Provisioning
    e.g. Training
    Entities :
    1. Requester
    2. Catalog Items
    3. Beneficiary
    4. Request level management = Beneficiary’s Management Line
    5. Operational level Management = Catalog Item Approver’s Management Line
    6. Route Slip – if any of the approver is not active then task will be assigned to weblogic for corrective actions.
    SOA :  2 soa composites
    1) Request level approval : Beneficiary’s Management Line
    2) Operational Level Approval : Catalog Item Approver’s Management Line
    OIM :
    http://idm.luckyfusion.com:14000/sysadmin
    Approval Policies =
    Create 2 approval policies
    note : based on each request type, create request level and operational level AP.
    1) Request level approval :
    2) Operational Level Approval
    Life Cycle –
    12. Auto provisioning with Request based provisioning
    Use Case : User(US,Finance) => Unless Manager approves => OUD Target.
    A) Modify the access policy – With Approval = Yes
    B) Create 2 set of Approval Policies
    request type : Access Policy Based Application Instance Provisioning.
    Life Cycle :
    13. Proxy :
    Manager is on leave 15 days
    Restriction :
    A) No date overlap in multiple proxies
    B) A proxy can not set another user as proxy for the specified dates.
    14. Target Reconciliation #update process form associated with the account.
    Update the process form with modified information of the target.
    http://idm.luckyfusion.com:14000/sysadmin
    Scheduler =:
    “LDAP Connector User Search Reconciliation” – create/modify
    “LDAP Connector User Search Delete Reconciliation” – delete
    15. Disconnected Application Instance or Disconnected Resources
    Use Case : H/W Devices, e.g. – Server Room Biometric Card
    Combination of request based provisioning + Disconnected Workflow
    Practical Steps :
    A) Create Sandbox
    B) Create Disconnected Application Instance
    C) Modify the object form for additional attributes specific to H/W Device
    D) Publish the sandbox
    Optionally create 2 set of approval policies for request type “Provision to Application Instance”
    E) Modify the business rule for Fulfillment user/role details using SOA Composer.
    http://idm.luckyfusion.com:8001/soa/composer
    weblogic/Oracle123
    modify the business rule for disconnected composite.
    Life Cycle of disconnected resource.
    Entitlement Configuration :
    Group, responsibility on target application.
    ==
    On target app : Create groups
    Step 1.
    cd /stage/scripts
    vi OUD_TargetEntitlement.ldif
    dn: cn=Groups,dc=target,dc=com
    cn: Groups
    objectClass: top
    objectClass: orclContainer
    dn: cn=Accounts Payable Administrator,cn=Groups,dc=target,dc=com
    cn: staticGroup
    objectClass: top
    objectClass: groupOfUniqueNames
    uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
    dn: cn=Accounts Payable User,cn=Groups,dc=target,dc=com
    cn: staticGroup
    objectClass: top
    objectClass: groupOfUniqueNames
    uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
    dn: cn=BI Publisher Users,cn=Groups,dc=target,dc=com
    cn: staticGroup
    objectClass: top
    objectClass: groupOfUniqueNames
    uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
    dn: cn=San Francisco Users,cn=Groups,dc=target,dc=com
    cn: staticGroup
    objectClass: top
    objectClass: groupOfUniqueNames
    uniquemember: cn=USER.1000,ou=People,dc=target,dc=com
    Step 2. Create groups in OUD, using LDIF file
    cd /d01/Weblogic/FMW/asinst_2/OUD/bin
    ./ldapmodify -a -h idm.oraclefusion4all.com -p 2389 -D “cn=Directory Manager” -q -f /stage/scripts/OUD_TargetEntitlement.ldif
    ==
    http://idm.luckyfusion.com:14000/sysadmin/
    xelsysadm/Oracle123
    Scheduler = “LDAP Connector Group Lookup Reconciliation[TargetAppITRes]”
    Entitlement Assignments
    Entitlement List
    Entitlement Post Delete Processing Job
    ==
    Oragnization Security :
    ==
    Review System : after provisionig is done then after 3/6/9/12 months, you need to review access to critical resources – regulatory compliances.
    A) Attestation – 9i
    http://idm.luckyfusion.com:14000/sysadmin
    xelsysadm/Oracle123
    Attestation Configuration => Create Attestation process
    Range of Users, having range of Resources(Roles and Resource Objects), schedule, reviewers, Process Owner.
    Life Cycle : ?
    B) Certification – 11gR2 PS1, PS2, …PS3
    Features : Multi Phase Certification, Closed Looped Remediation(PS2, BP03), Offline Certification, Event Listeners etc.
    Enable :
    http://idm.oraclefusion4all.com:14000/sysadmin
    xelsysadm/Oracle123
    System Configuration => “Display Certification or Attestation”
    Value : Attestation or Certification or Both
    Restart only OIM and observe certification will be enabled.
    Use Case :
    1. Certifiers : Managers or any other user, Org Certifier, Catalog Item Level Certifier
    2. Risk Level : High/Medium/Low
    3. Cert Def – Cert_UserHavingFinanceorgCertDef
    ==
    OIM Auditing :
    How : http://docs.oracle.com/cd/E40329_01/admin.1112/e27149/img/component.gif
    Level :
    1. Process Task: Audits the entire user profile snapshot together with the resource lifecycle process.
    2. Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource.
    3. Resource: Audits the user record, role membership, and resource provisioning.
    4. Membership: Only audits the user record and role membership.
    5. Core: Only audits the user record.
    6. None: No audit is stored.
    http://idm.oraclefusion4all.com:14000/sysadmin
    xelsysadm/Oracle123
    System Configuration => “User profile audit data collection level – None/Core/Membership/Resource/Resource Form/Process Task”
    ==
    OIM integration with BI Publisher :
    Objective : Audit Reports => templates, data
    OIM Node :
    1) templates :
    cd /d01/Weblogic/FMW/Oracle_IAM1/server/reports
    ls
    oim_product_BIP11gReports_11_1_2_2_0.zip
    2) Copy the oim_product_BIP11gReports_11_1_2_2_0.zip to BI Publisher node
    scp oim_product_BIP11gReports_11_1_2_2_0.zip weblogic@bi:/tmp
    BI Publisher Node :
    http://bi.raje.com:9704/xmlpserver/
    weblogic/Oracle123
    Catalog => There is no oim report templates are listed
    1) Get the report templates
    A) Unzip the reports zip file
    unzip -d /d01/weblogic/FMW/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Reports/ /tmp/oim_product_BIP11gReports_11_1_2_2_0.zip
    B) Run the job
    http://bi.raje.com:9704/xmlpserver/
    weblogic/Oracle123
    Administration => Server Configuration
    Note : Make sure “BI Publisher repository” points before Reports folder.
    Click On “Upload to BI Presentation Catalog”
    2) Populate report templates with data
    http://bi.luckyfusion.com:9704/xmlpserver/
    weblogic/Oracle123
    Administration => JDBC Connection => Add Data Source
    A) “OIM JDBC” => DEV_OIM
    B) “BPEL JDBC” => DEV_SOAINFRA
    =====================
    Note : In case, data is not populated in the reports :
    Run the job
    http://bi.luckyfusion.com:9704/xmlpserver/
    weblogic/Oracle123
    Administration => Server Configuration
    Note : Make sure “BI Publisher repository” points before Reports folder.
    Click On “Upload to BI Presentation Catalog”

    =====================
    3) Observe the OIM Audit Reports with data
    ===
    Code Migration:
    1. Deployment Manager : Export/Import – .xml
    2. Sandbox – Form Data , UDF Changes, UI Change – .zip
    Notification Templates :
    D) OAM Administration
    ==
    HRMS(2000 – create/delete/modify) ==> OIM[2000] == OVD[OID] <= OAM


    Thanks & Regards

    Lakshmi Prasada Reddy Nandyala

    Monday, 3 August 2015

    Oracle Identity & Access Management 11gR2PS1 Installation & Configuration

     OIAM : Environment Setup


    Environment Setup (OIAM) for 11g R2ps1:


    1. Database Installation
    2. Run RCU
    3. Jrockit
    4. Weblogic Server
    5. SOA Installation
    6. OIAM Installation
    7. Weblogic Domain Creation
    8. OIAM Configuration

    *************************************************************

    1. Database Installation


    Copy the Database setup into the desktop or Stage Folder.
    Set the Host file name: "/etc/hosts”
    127.0.0.1       localhost.localdomain  localhost

    192.168.x.xx   oiamserver

    # Example 

    192.168.1.100 oiam.luckyfusion.com oiam
    Run the comand  ( Under Root User ) 

    # yum install oracle-rdbms-server-11gR2-preinstall

    # yum update ( Optional ) 

    # groupadd -g 501 oinstall
    # groupadd -g 502 dba
    # groupadd -g 503 oper
    # groupadd -g 504 asmadmin
    # groupadd -g 506 asmdba
    # groupadd -g 505 asmoper
     
    # useradd -u 502 -g oinstall -G dba,asmdba,oper oracle
    It will install all the required prerecruities.
    Set the Password  for oracle
    # passwd oracle
    Login as the oracle user and add the following lines at the end of the ".bash_profile" file.(we can do this step after Jrockit Installation also)
    
    
    
    

    Note : Don't Delete Previous Environment Variable  



    # Oracle Environment Variables

    TMP=/tmp; export TMP

    TMPDIR=$TMP; export TMPDIR


    ORACLE_HOSTNAME=oiam.luckyfusion.com; export ORACLE_HOSTNAME

    ORACLE_UNQNAME=orcl; export ORACLE_UNQNAME

    ORACLE_BASE=/home/oracle/app/oracle; export ORACLE_BASE

    ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1; export ORACLE_HOME

    ORACLE_SID=orcl; export ORACLE_SID


    # Java Environment Variables 

    JAVA_HOME=/home/oracle/jrockit-jdk1.6.0_37-R28.2.5-4.1.0; export JAVA_HOME


    PATH=/usr/sbin:$PATH; export PATH

    PATH=$JAVA_HOME/bin:$ORACLE_HOME/bin:$PATH; export PATH


    LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH

    CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH
     
     
    
    Install DB using Installer from setup file:
     
    ./runInstaller
     
    -    Select Default to UNICODE when second screen of Installer appear.
    -    Install any other using yum install unixODBC-* and ignore 386.
    -    Next &gt.
    -    (If it is giving issue to on finish than you need to install using root user one RPM. 
    rpm –ivh pdksh-5.2.14-30.x86_64.rpm --nodeps)
     
    NOTE-(Optional) in PASSWORD MANAGEMENT section... as per DBA advice uncheck all.
    -Run two scripts(which will be present by default in the location, Second last screen of the setup) as per the instruction. 
    -Done
    
    
    Restart machine
    
    
    
    
    Test : https://oiam.luckyfusion.com:1158/em
     
    
    
      
     
    2. Jrockit 
     
    ./jrockit-jdk1.6.0_37-R28.2.5-4.1.0-linux-x64
     
    Note- If any issue, please check the file permissions.
     
    Restart machine
     
      
     
    3. Run RCU
     
    To start RCU RUN , Database should be UP & RUNNING. with ORACLE user
    -------Steps to start DB--------
    Go to /home/oracle/app/oracle/product/11.2.0/dbhome_1/bin
    ./lsnrctl (Start the listener)
    lsnrctl> start
    
    
    ./sqlplus (Start Sqlplus)
    SQL> sys as sysdba
    SQL> startup
    
    
    --------------------------------
     
    rpm -ivh libXtst-xx.el6.i686.rpm
     
    https://blogs.oracle.com/ecmarch/entry/how_to_run_rcu_on
     
    SQL> alter system set open_cursors=3000 scope=both sid='*';
     
    System altered.
     
    SQL> alter system set processes=3000 scope=spfile sid='*';
     
    System altered.
     
    restart
     
    --------------
    1.  Unzip the file.
    2.  rcuHome > rcu > bin > ./rcu
    3.  (Done)
     
    Restart machine
     
      

    4. Weblogic Server Installation
     
    Ø  Java –jar ./wls1036_generic.jar
     
    Restart machine
     
      

    5. SOA Installation
     
    Unzip the both zip files (V29672-01_1of2.zip , V29672-01_2of2.zip) and run the installer
     
    After successfully installation of SOA, apply some (4) patches
    1.  p16385074_111160_Generic(1st)(Remember inside this patch there are two patches oapatch[SOA] and sa_opatch[Jdeveloper]. Please install oapatch only for OIAM setup. For any help please find README.txt inside patch )
    2.  p13973356_111160_Generic(2nd)
    3.  p14196234_111160_Generic(3rd)
    4.  p16366204_111160_Generic(4th)
    Run 
    1         export ORACLE_HOME=/home/oracle/Oracle/Middleware/Oracle_SOA1
    2         export PATH=/home/oracle/Oracle/Middleware/Oracle_SOA1/OPatch:$PATH
     
    Unzip all the patches. Enter into the patch folder.
     
    Apply the patches:
    
    
    opatch lsinventory (to just check that how many patches applied)
    opatch apply (Apply the patch)
     
    Restart machine 
     
     
     
    6. OIAM Installation
     
    Unzip both the zip file and put it into one folder.
     
    Disk1 > ./runInstaller (Run it)
    (Ignore if any error coming)
     
    After OIAM Installation apply the patches:
     
    1.  p16513008_111210_Generic(1st) 
    2.  p16472592_111160_Generic(2nd) (Remember inside this patch there are two patches oapatch[SOA] and sa_opatch[Jdeveloper]. Please install oapatch only for OIAM setup. For any help please find README.txt inside patch )
    3.  p16400771_111160_Generic(3rd)
     
     
    Apply Patch p16513008_111210_Generic (1st)    
               1.  export ORACLE_HOME=/home/oracle/Oracle/Middleware/Oracle_IDM1
               2.  export PATH=/home/oracle/Oracle/Middleware/Oracle_IDM1/OPatch:$PATH
            Unzip all the patches. Enter into the patch folder.
     
            Apply the patches:
    
    
            opatch lsinventory (to just check & Verify applied patches)
            opatch apply (Apply the patch)
     
     
     
    Apply Patch p16472592_111160_Generic (2nd)    
               1.  export ORACLE_HOME=/home/oracle/Oracle/Middleware/ oracle_common
               2.  export PATH=/home/oracle/Oracle/Middleware/ oracle_common/OPatch:$PATH
            Unzip all the patches. Enter into the patch folder.
     
            Apply the patches:
     
            opatch lsinventory (to just check & Verify applied patches)
            opatch apply (Apply the patch)
     
     
    Apply Patch p16400771_111160_Generic (3rd)   
               1. export ORACLE_HOME=/home/oracle/Oracle/Middleware/ oracle_common
               2.  export PATH=/home/oracle/Oracle/Middleware/ oracle_common/OPatch:$PATH
            Unzip all the patches. Enter into the patch folder.
     
            Apply the patches:
     
            opatch lsinventory (to just check & Verify applied patches)
            opatch apply (Apply the patch)
     
    Restart machine
     
     
     

    7. Weblogic Server DOMAIN CREATION 
     
    Start the Oracle DB:
     
    Goto : /home/oracle/app/oracle/product/11.1.2/db_1/bin
     
            ./lsnrctl
            Start
            Exit
     
            ./sqlplus
            User Name: sys as sysdba
            Password: welcome1
            Sql> startup
            Database UP & Running
     
    Goto : /home/oracle/Oracle/Middleware/wlserver_10.3/common/bin
     
    Run : ./Config.sh (Create New Domain)
     
     
    Follow the Instruction.(Shuttle all the machine under the Admin server during this process.). Done. Restart the Machine
     
     
     
     
    8. Additional Config
     
    DB should be UP & Running.
     
    Goto : /home/oracle
     
    Run : /home/oracle/Oracle/Middleware/oracle_common/common/bin/wlst.sh /home/oracle/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /home/oracle/Oracle/Middleware/user_projects/domains/oim_domain -c IAM -p welcome1 -m create
     
    Successful message.
     
    Note- Where oim_domain is the OIAM domain name & welcome1 is the DB Password.
     
    1.  Start WebLogic Server
    2.  Start soa_server1 Managed Server.
     
     
    Goto : /home/oracle/Oracle/Middleware/Oracle_IDM1/bin
    Run : ./Config.sh
     
            On First Screen NEXT
            On Second Screen Select ALL(OIM Server, Design Console&Remote Manager)
            On Third Screen
                   Connect String : localhost:1521:orcl
                   OIM User Name  :       DEV_OIM
                   OIM Password   :       welcome1
                   MDS User Name  :       DEV_MDS
                   MDS Password   :       welcome1
                   NEXT
            On Fourth Screen
                   WLS Admin URL  :       t3://localhost:7001
                   User Name      :       weblogic
                   Pasword        :       welcome1
            On Fifth Screen
                   OIM Admin Passsword    :       Welcome1
                   Deselect ENABLE LDAP SYNC
            On Sixth Screen
                   OIM Server Host Name   :       oiamserver
                   OIM Server port        :       14000
            On Seventh Screen
                   Leave all detail as it is
            Configure > Done
     
     
            Start oim_server1 Manager Server
     
      
     
    9. Test the Environment
     
    OIM Environment Test :
    
    
    http://192.168.x.xx:14000/identity  (OIM for User)
     
    http://192.168.x.xx:14000/sysadmin  (OIM for Admin)
     
    User- xelsysadm
    Password- Welcome1
     
    OAM Environment Test : 
    http://192.168.x.xx:7001/oamconsole
     
    userId- weblogic
    Password- welcome1
     
    INSTALLATION DONE….. 
     
     
    -------------------------------------------------------------------------
    Optional : Installation & Configure the Design Console(Local Windows)
     
    Installation:
     
    Extract both zip (V37472-01_1of2.zip , V37472-01_2of2.zip) files for OIM Setup into one folder.
    Disk1 > Install > select ur platform and install it.
    Done.
    NOTE- We can install the design console (for OIAM) in any machine only you need to provide the details of the servers.
     
    Configuration:
     
    Goto : C:\Oracle\MiddlewareWLS\Oracle_IDM1\bin
    Install/run- Double click on Config
     
            On Second Screen Select only OIM Design Console
            On Second Screen
                   OIM Host Name- 192.168.x.xx
                   OIM Post- 14000
            Configure & Done.
     
     
    File Names-
    Jroskit- jrockit-jdk1.6.0_37-R28.2.5-4.1.0-linux-x64
    OIAM- V37472-01_1of2.zip & V37472-01_2of2.zip
    RCU- V37476-01.zip Queries
    RPM-     compat-libstdc++-33-3.2.3-69.el6.i686
                    glibc-2.12-1.7.el6.i686
                    libstdc++-4.4.4-13.el6.i686
                    pdksh-5.2.14-30.x86_64
    SOA- V29672-01_1of2.zip & V29672-01_2of2.zip
    WLS- wls1036_generic
    ------------------------------------------------------------------------------------

    If you have any Queries Contact : lakshmiprasad.fusion@gmail.com