IdmConfigTool : OIM/OAM/FusionApps Integration – preConfigIDStore, prepareIDStore, configOAM, configOIM
If you are integrating OIM with OAM or installing Oracle Fusion Applications then you must read this post carefully.
This post covers overview of idmConfigTool (used extensively in Fusion Applications and OIM-OAM integration) and options available including what happens behind the scenes.
Here are acronyms used in this post
ACL – Access Control List
AD – Active Directory
CSF – Credential Store Framework
IAM – Identity and Access Management (OIM & OAM)
IDM – Identity Management (OID, OVD, OIF)
LDAP – Lightweight Directory Access Protocol
OAM – Oracle Access Manager
OID – Oracle Internet Directory
OIF – Oracle Identity Federation
OIM – Oracle Identity Manager
OVD – Oracle Virtual Directory
WLST – WebLogic Scripting Tool
idmConfigTool (.sh for Unix/Linux and .bat for Windows) is tool to configure Oracle Identity Management components that prepare LDAP Server (OID, OVD or AD) so that OIM can be integrated with OAM and also used to prepare Oracle Identity Management for Oracle Fusion Applications.
IdmConfigTool (.sh or .bat) is available in IAM ORACLE_HOME/idmtools/bin (where IAM ORACLE_HOME is directory in which OIM and OAM are installed). Note: This IAM ORACLE HOME is different from ORACLE_HOME that contains OID/OVD/OIF binaries.
Key points in OIM/OAM integration – idmConfigTool.sh (bat) ?
1. idmConfigTool from $IDAM_ORACLE_HOME/idmtools/bin is main utility which prepares LDAP server so that OIM/OAM products can be integrated (creating users, groups, extending OID attributes and objectless, more on OID objects here ). idmConfigTool is also used to extend objects required in OID to install Fusion Applications.
2. When you run idmConfigTool.sh (bat) , it creates or appends to file idmDomainConfig.param hence this tool must be run from same directory always (so that idmDomainConfig.param is updated properly). (idmDomainConfig.param is used during Fusion Applications Provisioning)
3. idmConfigTool.sh (bat) creates or appends to log file automation.log . After each execution of idmConfigTool, verify that there are no error messages in automation.log (Error message during idmConfigTool are not reported on screen but are logged in automation.log)
4. variable IAM _ORACLE_HOME should point to ORACLE_HOME in which OIM/OAM is installed where as IDM_ORACLE_HOME should point to ORACLE_HOME directory in which OID/OVD is installed.
5. idmConfigTool (in current version) supports only simple LDAP connection. i.e. LDAPS (secure) is NOT supported.
6. Options with idmConfigTool.sh (bat) are: –configPolicyStore, –preConfigIDStore, –prepareIDStore, –configOAM, –configOIM, –upgradeLDAPUsersForSSO
a) configPolicyStore – This will create group two groups and two users in LDAP Server
i) OrclPolicyAndCredentialReadPrivilegeGroup (user PolicyROUser as its member)
ii) OrclPolicyAndCredentialReadPrivilegeGroup (user PolicyRWUser as its member)
You can then migrate Policy and Credential store of Fusion Middleware from XML file to LDAP Server using reassociateSecurityStore (WLST) or from EM Console (/em) .
Policy store contains application specific roles where as Credential Store contains system accounts (including password and certificates) that are used internally to communicate between components (OracleBISystem user in OBIEE or SOA User in OIM are two such accounts stored in credential). More on Policy and Credential Store here
b) preConfigIDStore – This will create
i) group orclFAUserReadPrivilegeGroup, orclFAUserWritePrivilegeGroup, orclFAUserWritePrefsPrivilegeGroup, orclFAGroupReadPrivilegeGroup, orclFAGroupWritePrivilegeGroup
ii) Create password policy for OIM admin user & Fusion Applications
iii) add object class specific to Fusion Applications in LDAP server
c) prepareIDStore – depending on mode used (OAM, OIM, WLS, fusion, all) will create object in LDAP Server
i) mode=OAM – This will
— create user OblixAnonymous, oamadmin, oamLDAP
— Set ACL on user objects
–Add PolicyStore user to group “cn=OID Schema Admin, cn=groups, dc=OracleContext”
Note: oamadmin is used to login to oamconsole where as oamLDAP is used to connect from OAM to Identity Store for authentication
ii) mode=OIM – This will
–create group OIMAdministrators and user oimLDAP as its member
–create container cn=reserve
–creates user xelsysadm (this is superuser in OIM)
iii) mode=WLS – This will create group IDM Administrators and user weblogic_idm as its member
d) configOAM – This will
i) create an WebGate instance in OAM and generate output files in $DOMAIN_HOME/output/<WebGateName>
ii) Create Identity store pointing to OID and migrate default identity store of OAM from weblogic embedded LDAP server to OID
e) configOIM – This will create
— Three providers in security realm of WebLogic domain (OIDAuthenticator, OAMIDAsserter, OIMSignatureAuthenticator)
— Create credentials in CSF (containing credentials for OIM to connect to OAM)
— Updates configuration in MDS (details of OAM server)
.
References