Fusion Applications 11.1.1.5.1 Installation Part III – Configure Policy and Identity Store

This post covers part III of Fusion Applications 11.1.1.5.1 Installation, configure Identity and Policy Store for Fusion Application. For previous steps check below links

Identity Store : is repository where users, groups and roles for Fusion Applications are stored. Identity Store for Fusion Applications is OID.

Policy Store : is repository of application roles. By default this is xml file in $DOMAIN_HOME/config/fmwconfig/system-jazn.xml More on Policy Store here
(–For application with lot of roles, it is recommended to migrate policy store from XML file to OID/LDAP.

If your domain directory for Admin Server and Managed Server are different then you must migrate policy store from XML file to OID/LDAP server)

Steps mentioned in this post are from Oracle Documentation here , purpose of this post is to explain these steps including what happens when you run idmConfigTool with different options.

Assumptions in this Post

a) Hostname of OID, OAM, OIM server – innowave12.com
b) OID LDAP Port – 3060
c) Domain Name (Realm) of OID – dc=com
d) Policy Store in OID – cn=jpsroot
e)  WebLogic Admin Server Port – 7001
f)  WebLogic Domain Admin User – weblogic
g) Password of weblogic user – welcome1
h) Login attribute for OAM/OIM in OID – uid
i) OID common name attribute – cn
j) OAM Super User- oamAdmin
k) OAM to OID integration user – oamLDAP
l) OIM to OID integration user – oimAdmin
m) Fusion Apps Super User – weblogic_fa
n) User container in OID – cn=Users,dc=com
o) Group container in OID – cn=Groups,dc=com
p) OID/OAM/OIM are configured in same WebLogic Domain with domainname as base_domain

.

Set Environment Variable

First step is to configure following environment variables

a) export MW_HOME= (Directory created during WebLogic Installation mentioned here)
b) export ORACLE_HOME= (Directory in which OIM/OAM is installed)
c)  export IDM_HOME= (Directory in which OID is installed)
d) export JAVA_HOME= (Directory in which Java is installed)

Note: You must run idmConfigTool from the same location each time to prevent the creation of duplicate idmDomainConfig.param files that contain only partial information

idmConfigTool will create automation.log file, errors/warning are NOT displayed on screen but recorded in automation.log

.

[updated on 3rd Jan 2012]: Apply patch 12867723 to IAM ORACLE_HOME (OIM/OAM) before running idmConfigTool that will fix idmConfigTool issues.

Configure Policy/Identity Store

1. Configure Policy Store

1.1 Create policystroe.props with value

POLICYSTORE_HOST : innowave12.com
POLICYSTORE_PORT : 3060
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc=com
POLICYSTORE_CONTAINER: cn=jpsroot

1.2) Run $ORACLE_HOME/idmtools/bin/idmConfigTool.sh -configPolicyStore input_file=policystore.props

Enter

a) orcladmin password when prompted.
b) Password for PolicyROUser which you wish to set
c) Password for PolicyRWUser which you wish to set

This step will create two users and two groups in OID
This step will also create container cn=jpsroot in OID


2)  Re-associate Credential and Policy store of OID/OIM/OAM domain from XML file to OID

a) $MW_HOME/oracle_common/common/bin/wlst.sh

b) connect(“weblogic”,”welcome1″,”t3://innowave12.com:7001″)

c) wls:/base_domain/serverConfig> reassociateSecurityStore(domain=”base_domain”, admin=”cn=orcladmin”, password=”welcome1″, ldapurl=”ldap://innowave12.com:3060″, servertype=”OID”, jpsroot=”cn=jpsroot”)

d) exit()

This step will migrate Policy and Credential Store from XML file to OID

.

d) Restart WebLogic Admin Server and all managed servers

.

3) Prepare Identity Store

3.1) Create extend.props with value

IDSTORE_HOST : innowave12.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=com

3.2) Run ORACLE_HOME/idmtools/bin/idmConfigTool.sh -preConfigIDStore input_file=extend.prop

a) When prompted for ID store Bind DN password, enter orcladmin password

This command will extend OID schema for OAM/OIM integration and create FA groups and systemids container in realm

.

.

4) Configure users/groups for OAM in OID

4.1) Create oam.props with value

IDSTORE_HOST : innowave12.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin

4.2) Run ORACLE_HOME/idmtools/bin/idmConfigTool.sh -prepareIDStore mode=OAM input_file=oam.prop

Note: parameter supplied are case sensitive

Enter

a) When prompted for ID store Bind DN password, enter orcladmin password
b) when prompted for oblixanonymous, enter password which you wish to set for this user
c)  when prompted for oamadmin, enter password which you wish to set for this user

d) when prompted for oamLDAP, enter password which you wish to set for this user

Above steps will

Create user oamadmin, oamLDAP and group OAMAdministrators

Note: oamadmin user is used as administrator to login to OAMCONSOLE. oamLDAP user is used to connect from OAM to OID (IdentityStore)

.

5. Create users/groups for OIM in OID

5.1) Create oim.props with value

IDSTORE_HOST : innowave12.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=com
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdministrators

5.2) Run ORACLE_HOME/idmtools/bin/idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.prop

Note: parameter supplied are case sensitive

Enter

a) When prompted for ID store Bind DN password, enter orcladmin password
b) when prompted for oimadmin, enter password which you wish to set for this user
c)  when prompted for xelsysadm, enter password which you wish to set for this user –

 Above step will create two users (oimadmin, xelsysadm) and container cn=reserve in OID 

Note: oimadmin user is used to synchronise users from OIM to OID ( LDAPSync )

Note: xelsysadmin created here is used to logon to OIM as superuser

.

6. Create users/groups for WebLogic in OID

6.1) Create wls.props with value

IDSTORE_HOST : innowave12.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
POLICYSTORE_SHARES_IDSTORE: true

6.2) Run $ORACLE_HOME/idmtools/bin/idmConfigTool.sh -prepareIDStore mode=WLS input_file=wls.prop

Note: parameter supplied are case sensitive

Enter

a) When prompted for ID store Bind DN password, enter orcladmin password
b) when prompted for weblogic_idm, enter password which you wish to set for this user

This step will create group IDM Administrator and user weblogic_idm — (weblogic_idm is new superuser in Weblogic Domain)

.

7. Create users/groups for Fusion Apps in OID

7.1) Create fusion.props with value

IDSTORE_HOST : innowave12.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_READONLYUSER: IDROUser
IDSTORE_READWRITEUSER: IDRWUser
IDSTORE_USERSEARCHBASE:cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
IDSTORE_SUPERUSER: weblogic_fa
POLICYSTORE_SHARES_IDSTORE: true

7.2) Run $ORACLE_HOME/idmtools/bin/idmConfigTool.shprepareIDStore mode=fusion input_file=fusion.prop

Note: parameter supplied are case sensitive

Enter

a) When prompted for ID store Bind DN password, enter orcladmin password
b) when prompted for IDROUser, enter password which you wish to set for this user
c) when prompted for IDRWUser, enter password which you wish to set for this user
d) when prompted for weblogic_fa, enter password which you wish to set for this user

Above step will create
weblogic_fa (FA Superuser), IDROUser (FA Read Only), IDRWUser (FA Read/Write user)

.

Finally idmDomainConfig.param should look like below

IDSTORE_SUPERUSER: cn=weblogic_fa,cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_READWRITEUSER: cn=IDRWUser,cn=Users,dc=com
POLICYSTORE_PORT: 3060
IDSTORE_LOGINATTRIBUTE: uid
OAM_POLICYSTORE_HOST: innowave12.com
OAM_POLICYSTORE_PORT: 3060
IDSTORE_READONLYUSER: cn=IDROUser,cn=Users,dc=com
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
POLICYSTORE_READWRITE_USERNAME: cn=PolicyRWUser,cn=users,dc=com
IDSTORE_HOST: innowave12.com
IDSTORE_PORT: 3060
POLICYSTORE_CONTAINER: cn=jpsroot
OAM_RUNTIME_ROOT_DN: cn=oamLDAP,cn=Users,dc=com
POLICYSTORE_HOST: innowave12.com
OAM_USERNAME: cn=oamLDAP,cn=Users,dc=com

.
Note: This file (idmDomainConfig.param) will be used during Provisioning Fusion Applications
.

Next Step for Fusion Applications Installation :
–Configure OAM
–Configure OIM
–Integrate OAM with OIM
–Provision FA Transactional Database
–Create Fusion Application Provisioning Plan
–Provision Fusion Application Environment

About the Author Masroof Ahmad

Leave a Comment:

79 comments
Add Your Reply