IdmConfigTool : OIM/OAM/FusionApps Integration – preConfigIDStore, prepareIDStore, configOAM, configOIM

If you are integrating OIM with OAM or installing Oracle Fusion Applications then you must read this post carefully.

This post covers overview of idmConfigTool (used extensively in Fusion Applications and OIM-OAM integration) and options available including what happens behind the scenes.

Here are acronyms used in this post

ACL – Access Control List
AD – Active Directory
CSF – Credential Store Framework
IAM – Identity and Access Management (OIM & OAM)
IDM – Identity Management (OID, OVD, OIF)
LDAP – Lightweight Directory Access Protocol
OAM – Oracle Access Manager
OID – Oracle Internet Directory
OIF – Oracle Identity Federation
OIM – Oracle Identity Manager
OVD – Oracle Virtual Directory
WLST – WebLogic Scripting Tool

 

idmConfigTool (.sh for Unix/Linux and .bat for Windows) is tool to configure Oracle Identity Management components that prepare LDAP Server (OID, OVD or AD) so that OIM can be integrated with OAM and also used to prepare Oracle Identity Management for Oracle Fusion Applications.

 

IdmConfigTool (.sh or .bat) is available in IAM ORACLE_HOME/idmtools/bin (where IAM ORACLE_HOME is directory in which OIM and OAM are installed). Note: This IAM ORACLE HOME is different from ORACLE_HOME that contains OID/OVD/OIF binaries.

 

Key points in OIM/OAM integration – idmConfigTool.sh (bat) ?

1. idmConfigTool from $IDAM_ORACLE_HOME/idmtools/bin is main utility which prepares LDAP server so that OIM/OAM products can be integrated (creating users, groups, extending OID attributes and objectless, more on OID objects here ). idmConfigTool is also used to extend objects required in OID to install Fusion Applications.

2. When you run idmConfigTool.sh (bat) , it creates or appends to file idmDomainConfig.param hence this tool must be run from same directory always (so that idmDomainConfig.param is updated properly). (idmDomainConfig.param is used during Fusion Applications Provisioning)

3. idmConfigTool.sh (bat) creates or appends to log file automation.log . After each execution of idmConfigTool, verify that there are no error messages in automation.log (Error message during idmConfigTool are not reported on screen but are logged in automation.log)

4. variable IAM _ORACLE_HOME should point to ORACLE_HOME in which OIM/OAM is installed where as IDM_ORACLE_HOME should point to ORACLE_HOME directory in which OID/OVD is installed.

5. idmConfigTool (in current version) supports only simple LDAP connection. i.e. LDAPS (secure) is NOT supported.

6. Options with  idmConfigTool.sh (bat) are: –configPolicyStore, –preConfigIDStore, –prepareIDStore, –configOAM, –configOIM, –upgradeLDAPUsersForSSO

a) configPolicyStore – This will create group two groups and two users in LDAP Server
i) OrclPolicyAndCredentialReadPrivilegeGroup (user PolicyROUser as its member)
ii) OrclPolicyAndCredentialReadPrivilegeGroup (user PolicyRWUser as its member)

You can then migrate Policy and Credential store of Fusion Middleware from XML file to LDAP Server using reassociateSecurityStore (WLST) or from EM Console (/em) .

 

Policy store contains application specific roles where as Credential Store contains system accounts (including password and certificates) that are used internally to communicate between components (OracleBISystem user in OBIEE or SOA User in OIM are two such accounts stored in credential). More on Policy and Credential Store here

 

b) preConfigIDStore – This will create

i) group orclFAUserReadPrivilegeGroup, orclFAUserWritePrivilegeGroup, orclFAUserWritePrefsPrivilegeGroup, orclFAGroupReadPrivilegeGroup, orclFAGroupWritePrivilegeGroup

ii) Create password policy for OIM admin user & Fusion Applications

iii) add object class specific to Fusion Applications in LDAP server

 

c) prepareIDStore – depending on mode used (OAM, OIM, WLS, fusion, all) will create object in LDAP Server

i) mode=OAM – This will

— create user OblixAnonymous, oamadmin, oamLDAP
— Set ACL on user objects
–Add PolicyStore user  to group “cn=OID Schema Admin, cn=groups, dc=OracleContext”

Note: oamadmin is used to login to oamconsole where as oamLDAP is used to connect from OAM to Identity Store for authentication

 

ii) mode=OIM – This will
–create group OIMAdministrators and user oimLDAP as its member
–create container cn=reserve
–creates user xelsysadm (this is superuser in OIM)

iii) mode=WLS – This will create group IDM Administrators and user weblogic_idm as its member

 

d) configOAM – This will

i) create an WebGate instance in OAM and generate output files in $DOMAIN_HOME/output/<WebGateName>

ii) Create Identity store pointing to OID and migrate default identity store of OAM from weblogic embedded LDAP server to OID

 

e) configOIM – This will create

— Three providers in security realm of WebLogic domain (OIDAuthenticator, OAMIDAsserter, OIMSignatureAuthenticator)
— Create credentials in CSF (containing credentials for OIM to connect to OAM)
— Updates configuration in MDS (details of OAM server)

.

References

 

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

37 comments
» Where are OAM details stored in OIM (account unlock, password reset) Online Apps DBA: One Stop Shop for Apps DBA’s says November 24, 2011

[…] you check my post on IdmConfigtool here , OIM configuration is updated with OAM details […]

Reply
» Fusion Applications 11.1.1.5.1 Installation Part II - Configure Oracle Internet Directory Online Apps DBA: One Stop Shop for Apps DBA’s says November 27, 2011

[…] next post we are going to prepare OID for OIM/OAM using idmConfigTool more here and here , including what happens behind the scene when you run idmConfigTool Previous in series […]

Reply
» Autologin failed in OIM/OAM Integration after password reset SSOAccessKey javax.security. auth.login. LoginException Online Apps DBA: One Stop Shop for Apps DBA’s says March 21, 2012

[…] idmConfigTool http://onlineappsdba.com/index.php/2011/11/23/idmconfigtool-oimoamfusionapps-integration-preconfigid… (tool to integrate OIM with OAM) should have created credential (keyName and password) for map oim as key SSOAccessKey of type Password with value as WebGate password. In my case this key SSOAccessKey for map OIM was missing. […]

Reply
» Identity & Access Management configuration for Oracle Fusion Applications – Part I Online Apps DBA: One Stop Shop for Apps DBA’s says April 24, 2012

[…] Applications is to install, configure and integrate OID/OIM/OAM. When you integrate OIM/OAM using idmConfigTool, this tool creates properties file called […]

Reply
sudhakardba09 says April 29, 2012

Hi Atul,
when i am running below command getting Error.

./idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props
Enter ID Store Bind DN password :
The tool has completed its operation. Details have been logged to automation.log

automation.log:-Apr 29, 2012 10:13:11 AM oracle.idm.automation.util.Util setLogger
WARNING: Logger initialized in warning mode
Apr 29, 2012 10:13:16 AM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler isSystemIDPresent
WARNING: Error while searching for System Base
Apr 29, 2012 10:13:16 AM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler execute
WARNING: OIMPreIntegrationHandler : System ID is not Present
“automation.log” 354L, 25310C

oim.props:-

IDSTORE_HOST: orapractice1
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=com
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP: OIMAdministrators
~
~
Pls help us regarding this.

Reply
    Atul Kumar says April 29, 2012

    @ sudhakardba09,
    1. Are you using OVD or just OID ?
    2. What is your OID hostname , port ?
    3. What is your OID realm (domain), is it dc=com ?

    Check if this note helps ID 1376919.1 OAM 11g – OIM – Many WARNING Messages In idmConfigTool -prepareIDStore Output Log With OVD ID Store

    Reply
Jyothi says June 7, 2012

Hi Atul, I am creating provisioning plan using the wizard and when I reached step 15 of 18 which is “Identity Management Configuration”, it did not populate data from already setup IDM environment using idmDomainConfig.param. The host for IDM is idm.mycompany.com and everything is up and running. I can ping from OFA host to IDM and IDM to OFA. The file idmDomainConfig.param is under /idm/app/oracle/product/fmw/Oracle_IDM2/idmtools/bin.

Will it be a problem if I manually enter all these values ?

Can you please guide me. Apreciate your time and thank you.

regards
Jyothi

Reply
Atul Kumar says June 7, 2012

@ Jyothi, There are multiple IAM install/configure doc . Which one you are following so I can cross check and confirm.

Reply
Jyothi says June 7, 2012

Atul, I referred Enterprise Deployment Guide http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/toc.htm#BEGIN.

No entries are populated.

thank you
Jyothi

Reply
Atul Kumar says June 7, 2012

@ Jyothi,
No issues , yes you can enter data manually as mentioned in idmDomainConfig.param

Reply
Jyothi says June 7, 2012

Thank you Atul. While entering below questions I came across now :

1. In my IDM, I am accessing OID through OID so, I should select OVD as Type right ?

2. I have fusion admin id as weblogic_fa and no doubbt I wil mention it.

But what about those check boxes : Enable Seeding of Security Data, Create Admin group, Create mon group, Create ops group ?

I thought they all are created as per the deployment guide. May be I am wrong. Do you want me to select(check) all these check boxes ?

thank you so much.

Jyothi.

Reply
Jyothi says June 7, 2012

sorry… typo… I am accessing OID through OVD.

thanks
Jyothi

Reply
Atul Kumar says June 7, 2012

@ Jyothi,

1. In my IDM, I am accessing OID through OVD so, I should select OVD as Type right ?

AK: Yes try OVD, I had just OID so I used OID but then if you created all adapters then yes select OVD

2. I have fusion admin id as weblogic_fa and no doubbt I wil mention it.

But what about those check boxes : Enable Seeding of Security Data, Create Admin group, Create mon group, Create ops group ?

AK: select check boxes as I did n’t find any steps in EDG which adds user weblogic_fa to weblogic role Admininstrator, Moderators…

This checkbox will populate this data (else you will see error message for IAM)

Reply
Jyothi says June 7, 2012

Thank you so much Atul. Very nice of you.

regards
Jyothi

Reply
Jyothi says June 7, 2012

Atul, in the wizard, it is asking for “IDM Keystore file”. I am not sure do we have such file ? I have generated SSL certificate for weblogic domain for IDM but it is stored in policy store. Not in physical file. I do not know now what to enter here.

I have also generated oamclient-truststore.jks and ssoKeystore.jks file as per the deployment guide and they are under DOMAIN_HOME/config/fmwconfig. Do you think this is the file I have to enter ? But this file is in IDM host not in OFA host. How will I specify this in Provisioning wizard ?

thank you.

Jyothi

Reply
Jyothi says June 8, 2012

I think it is the keystore we generated for Fusion Apps and may be I will have to copy it to OFA instance.

thanks
Jyothi

Reply
Atul Kumar says June 8, 2012

@ Jyothi,
Don’t use ssl to connect, This is bug that even if you are not using SSL you will have to give keystore. Use any dummy keystore from MW_HOME to bypass installer

Reply
Jyothi says June 8, 2012

Atul, this means, chapter 17.1.2 Creating Client Keystore in deployment guide is of no use as of now ? It is about generating trust store for Fusion Apps.

Am I refering right chapter here regarding “IDM keystore file” ?

thanks
Jyothi

Reply
Atul Kumar says June 8, 2012

@ Jyothi,
I hope you mean http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/wiring.htm#CEGDGBIH

Yes this is not required, select non ssl for policy store and other configuration during Fusion Apps Provisioning screen

Reply
Jyothi says June 8, 2012

wow…My goodness.. long way to get this FA stabilized…really crazy stuff.

Thanks for your guidance.

thanks
Jyothi

Reply
Jyothi says June 11, 2012

Atul, currently I have below 2 errors in the preverify phase. Can you please take a look.

First one I do not have any clue. But for second one, I have mentioned oim end point host as idm.mycompany.com and port 7777 and I am able to telnet from OFA instance to this port in IDM instance. I do not know why it is complaining.

012-06-11 19:07:44.021 NOTIFICATION [logStatus] STATE=BUILD_ERROR!TIMESTAMP=2012-06-11 19:07:43 EDT!TARGET=common-preverify-security!CATEGORY=BUILD_ERROR!DOMAIN=CommonDomain!HOSTNAME=ofa.mycompany.com!PRODUCTFAMILY=fs!PRODUCT=Functional-Setup!TASK=validateOim!TASKID=fs.Functional-Setup.BUILD_ERROR.common-preverify-security.validateOim!MESSAGE=List of failed Validation in OIM 1. OAM_Validation : Cannot perform OAM Validation as Error in receiving hashed server challenge ObAAAStatus: Major code: 50(Insecure) Minor code: 2(NoCode) !DETAIL=List of failed Validation in OIM||1. OAM_Validation : Cannot perform OAM Validation as Error in receiving hashed server challenge ObAAAStatus: Major code: 50(Insecure) Minor code: 2(NoCode) ||!BUILDFILE=/fa/fusion/repository/provisioning/provisioning/provisioning-build/common-preverify-build.xml!LINENUMBER=302!

2012-06-11 19:07:45.794 NOTIFICATION [logStatus] STATE=BUILD_ERROR!TIMESTAMP=2012-06-11 19:07:45 EDT!TARGET=common-preverify-security!CATEGORY=BUILD_ERROR!DOMAIN=CommonDomain!HOSTNAME=ofa.mycompany.com!PRODUCTFAMILY=fs!PRODUCT=Functional-Setup!TASK=validateOam!TASKID=fs.Functional-Setup.BUILD_ERROR.common-preverify-security.validateOam!MESSAGE=Error 1 : IDSTORE_HOST : Invalid IDStore host name. Error 2 : OAM11G_OIM_OHS_URL : Invalid OIM host name for OIM URL. !DETAIL=Error 1 : IDSTORE_HOST : Invalid IDStore host name.|Error 2 : OAM11G_OIM_OHS_URL : Invalid OIM host name for OIM URL.|!BUILDFILE=/fa/fusion/repository/provisioning/provisioning/provisioning-build/common-preverify-build.xml!LINENUMBER=323!

thanks
Jyothi

Reply
Atul Kumar says June 11, 2012

@ Jyothi,

1. For “Cannot perform OAM Validation as Error in receiving hashed server challenge ObAAAStatus”

What is OAM server mode ? Did you use same security mode in FA provisioning ? Check if all required OAM related passwords are in credential store

http://onlineappsdba.com/index.php/2012/04/12/fa-installation-error-2-list-of-failed-validation-in-oim-oam_validation-cannot-perform-oam-validation-as-null/

2. For ” Invalid IDStore host name. Error 2 : OAM11G_OIM_OHS_URL : Invalid OIM host name for OIM URL. !DETAIL=Error 1 : IDSTORE_HOST : Invalid IDStore host name.”

What URL you used for OIM and OHS during OIM-OAM integration ?

Is this host and port reachable from FA host ?

Reply
Jyothi says June 11, 2012

Atul,

1. I used Simple mode. Currently when I send request to OHS, it is redirected to http://sso.mycompany.com:7777/ and is working fine to get into OIM, OAM, and other consoles using many ids such as xelsysadm, oamadmin, weblogic_idm etc. This means all credentials are there right ? I am not sure.

2. I see that in config_oam2.props, OAM11G_OIM_OHS_URL:http://sso.mycompany.com:7777/

In config_oam1.props, OAM11G_IDM_DOMAIN_OHS_HOST: webhost.mycompany.com

So, in my prov plan, I mentioned first sso.mycompany.com and the preverify phase complained that non-ssl connection can not made.

Then I mentioned webhost.mycompany.com in the plan and I am getting same “Invalid IDStore error”.

So, I do not what to use now.

thanks
Jyothi

Reply
Jyothi says June 11, 2012

1. I used Simple mode. Currently when I send request to OHS, it is redirected to http://sso.mycompany.com:7777/ and is working fine to get into OIM, OAM, and other consoles using many ids such as xelsysadm, oamadmin, weblogic_idm etc. This means all credentials are there right ? I am not sure.

2. I see that in config_oam2.props, OAM11G_OIM_OHS_URL:http://sso.mycompany.com:7777/

In config_oam1.props, OAM11G_IDM_DOMAIN_OHS_HOST: webhost.mycompany.com

So, in my prov plan, I mentioned first sso.mycompany.com and the preverify phase complained that non-ssl connection can not made.

Then I mentioned webhost.mycompany.com in the plan and I am getting same “Invalid IDStore error”.

So, I do not what to use now.

thanks
Jyothi

Reply
Jyothi says June 12, 2012

Atul, one more info.

I am able to telnet to webhhost.mycompany.com 7777.

Also, I see all those keys such as SSOAccessKey, SSOKeystoreKey and SSOGlobalPP in EM console. I have every pwd as welcome1. No change in any pwd.

Pleae let me know what else I need to do to resolve this issue.

Appreciate your time.

thanks
Jyothi

Reply
Jyothi says June 12, 2012

Atul, after mentioning sso.mycompany.com idm.oim.endpoint.host.name and updating hosts file, now I do not see “OAM11G_OIM_OHS_URL : Invalid OIM host name for OIM URL” in the error. But I get below error :

common-preverify-security.validateOam!MESSAGE=Error 1 : IDSTORE_HOST : Invalid IDStore host name. !DETAIL=Error 1 : IDSTORE_HOST : Invalid IDStore host name.|!BUILDFILE=/fa/fusion/repository/provisioning/provisioning/provisioning-build/common-preverify-build.xml!LINENUMBER=323!

Which is that propery in provisioning plan corresponds to this IDStore message ?

Is it because I mentioned OID ports for OPSS security Services configuration in the provisioning plan ? Should I mention OVD here ?

One more thing I noticed that in config_oam1.props, OAM11G_IDM_DOMAIN_OHS_HOST is webhost.mycompany.com and in config_oam2.props, it is sso.mycompany.com.
I hope this is not an issue over here. I am not sure whether at this time I can enter sso.mycompanycom in config_oam1.props an rerun the tool !!

any suggestion is greatly apprecited.

thanks
Jyothi

Reply
Jyothi says June 12, 2012

Atul, I am able to proceed to install phase. I have no idea why it was expecting me to enter OID entries instead of OVD in entire prov plan. I just replaced ovd entries with OID all over the plan.

The property “Identity Store Server Type” i.e, provisioning.include.idm.ldap.server.type=OVD int the plan absolutely does not make any sense.

thanks
Jyothi.

Reply
Jyothi says June 12, 2012

BTW, I have configured OVD and created adapters in ODSM and also if I go to OIM console, I see “IT Resource”-> “Directory service” showing OVD ports !

thanks
Jyothi

Reply
rajibroyc says June 18, 2012

Hi,

I have upgraded the OAM 11.1.1.5 to BP 02 level and trying to deploy a custom authentication plug-in.

I am able to import the .jar file of custom auth plugin.

When I click on Distribute Selected tab for the plugin, it gives this error in the OAMconsole.

Messages for this page are listed below.
Error
multiple points
Error
For input string

In the log file it gives,

<Configuration event dispatch failed.
java.lang.IllegalArgumentException: OAM-21923:
at oracle.security.am.extensibility.lifecycle.api.PluginConfigManager.updatePluginStatus(PluginConfigManager.java:195)
at oracle.security.am.extensibility.lifecycle.utils.AdminUtil.setCommandFailure(AdminUtil.java:307)
at oracle.security.am.extensibility.lifecycle.utils.AdminUtil.sendMssgToRunningNodes(AdminUtil.java:186)
at oracle.security.am.extensibility.lifecycle.utils.AdminUtil.doConfigChangeAction(AdminUtil.java:259)
at oracle.security.am.extensibility.lifecycle.pluginstate.LifecycleConfigChangeListener.configurationChanged(LifecycleConfigChangeListener.java:43)
at oracle.security.am.admin.config.BasicFileConfigurationStore$ListenerDispatcher.run(BasicFileConfigurationStore.java:958)

Can anybody help in getting this resolved?

Have any one encountered the same issue during the plugin deployment in OAM 11g.

Thanks,
Rajib

Reply
Leo says July 5, 2012

I trying to do this integration with AD user store. Are the steps and commands the same or do i need OVD in front of AD?
I’m getting errors while using only AD when running the very first idmConfigTool.sh -preConfigureIDStore input_file=”filename”… Nothing gets created on the AD server and the logs say:

Jul 5, 2012 9:23:42 AM oracle.idm.automation.util.Util setLogger
WARNING: Logger initialized in warning mode
Jul 5, 2012 9:23:48 AM oracle.idm.automation.AutomationTool preConfig
WARNING: POLICYSTORE_SHARES_IDSTORE not provided. Defaulting to “true”
Jul 5, 2012 9:23:49 AM oracle.idm.automation.impl.ovd.handlers.OVDIntegrationHandler createGroupsForIntegration
WARNING: Error in creating groups
Jul 5, 2012 9:23:49 AM oracle.idm.automation.impl.ovd.handlers.OVDIntegrationHandler createSystemIDContainer
WARNING: Error in creating the System ID Container
Jul 5, 2012 9:23:49 AM oracle.idm.automation.AutomationTool dumpConfig
INFO: Configuration details have been dumped to the file idmDomainConfig.param

Reply
» OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit Online Apps DBA: One Stop Shop for Apps DBA’s says September 23, 2012

[…] 3. Extension of LDAP schema for OAM is done using idmConfigTool.sh -preConfigIDStore (LDIFs for schema extension are at ORACLE_HOME/oam/server/oim-intg/schema/*.ldif). More on idmConfigTool here […]

Reply
» How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ? Online Apps DBA: One Stop Shop for Apps DBA’s says September 27, 2012

[…] You can integrate OAM to external LDAP store like OID/OVD/AD using step for 11.1.1.3 click here and for 11.1.1.5 click here . You can also integrate OAM with LDAP store using idmConfigTool.sh -configOAM more here and here […]

Reply
Gopi says January 17, 2014

Hi,

Currently we are going to implement the SSO(Single Sign ON)in my environment.
We have installed Oracle Internet Directory with OVD in one domain.
And also installed OAM, OIM with OHS server.

From here how to proceed with this to implement SSO successfully.

Reply
    Atul Kumar says January 17, 2014

    @ Gopi , With which application you are planning to implement SSO ?

    Reply
Ketki says February 13, 2014

What are the steps to add a user to particular group in OIM?

Reply
    Atul Kumar says February 13, 2014

    @ketki,
    Groups are mapped to Role in OIM so add user to role in OIM . If ldapsync is enabled then Role (in OIM) is linked to Group (in OID)

    Reply
article submission says February 24, 2015

It’s awesome designed for me to have a site, which is beneficial in support of my knowledge.
thanks admin

Reply
Add Your Reply