Fusion Applications 11.1.1.5.1 Installation Part III – Configure Policy and Identity Store

Hi Atul,

It is really great help from you by providing KB articles on different subjects in oracle world.

Can you please let me know when can I expect the rest of the topics in Oracle Fusion installation.

As I am planning to install Oracle Fusion.

Thanks & Regards.

@ Mohan,
I ‘ll upload steps as I find time and hope to finish everything by this month end.

Oh Great news!

Thank you very much Atul for your quick reply.

what do you suggest if I want to install on Oracle Fusion on mutiple boxes, what could be ideal RAM for each boxes.

Thank you,

Mohan

BTW, is Oracle Fusion has Vision Database?

Thank you,

Mohan

Hello, Atul

Your blog for fusion installation is extremely helpful!

Thank you so much for sharing!!

I have been following your blog and tried to install fusion myself. I have made to the exact step as your post:
Fusion Applications 11.1.1.5.1 Installation Part III – Configure Policy and Identity Store

I’m looking forward to your next post about fusion installation!

Best Regards,
Jerry

@ Jerry, I’ll do next post this week.

[…] Part III – Configure Policy and Identity Store  […]

Outstanding posts, thanks for sharing this! I ran idmConfigTools.sh in step 1.2, provide the password, but it stops say… ‘Policy Store Search Base does not exist’. In your example policystore.props file your SEARCH_BASE contains only a ‘dc=com’ whereas the manual has ‘dc=, dc=com’. I tried that as well but no better results. Any idea what is happening?

@ fusion_cwa,
Thanks, SEARCH_BASE value depends on relam (namespace) value selected during OID configuration.

What value you entered for Realm (namespace) on OID configuration page ?

http://onlineappsdba.com/wp-content/uploads/2009/08/idm_7.JPG

I took the realm the installer constructed for me and looked correct ‘dc=mylocaldomain,dc=com’ which is the string I put in the policystore.props file. Can I see where in the system it stored that value to make sure?

I checked in the oraInventory install log and it shows my entry pretty clearly. I removed the space I entered between the 2 dc= parts in the props file and tried again. No luck

@ Fusion_cwa ,
Post content of policystore.props here .

Is OID running at time of idmConfigTool.sh

POLICYSTORE_HOST : fusionoid.hitachiconsulting.com
POLICYSTORE_PORT : 3060
POLICYSTORE_SEARCHBASE: dc=hitachiconsulting,dc=com
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_CONTAINER: cn=jpsroot
POLICYSTORE_BINDDN: cn=orcladmin

Yes, OID was running when idmConfigTool.sh was run

@ Fusion_cwa,
To find out if you are using correct domain (dc=hitachiconsulting,dc=com)

ldapsearch -h fusionoid.hitachiconsulting.com -p 3060 -D “cn=orcladmin” -w “welcome1” -b “cn=common, cn=products, cn=oracleContext” -s base “orcldefaultSubscriber=*” orcldefaultSubscriber

Replace welcome1 with orcladmin password in your OID.

Update output here

I had to add the ‘-x’ parameter to get around the ‘Unknown authentication method (-6)’ error. Output is…

# extended LDIF
#
# LDAPv3
# base with scope baseObject
# filter: orcldefaultSubscriber=*
# requesting: orcldefaultSubscriber
#

# Common, Products, OracleContext
dn: cn=Common,cn=Products,cn=OracleContext
orcldefaultsubscriber: dc=localdomain

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Seeing the ‘dc=localdomain’ in the output ties back to my earlier observation posted in Part II that the target ‘/Farm_IDMDomain/aserver/oid1′ shows its host as ‘localhost.localdomain’. I changed the props file dc=localdomain and ran idmConfigTool again and now it prompts for passwords and completes. The question is, should dc=localdomain when the screenshot I captured during setup clearly shows ‘dc=hitachiconsulting,dc=com’?

Also, I assume the Data Tree screenshots in Part III are from the ODSM Data Browser? I cannot seem to log into that page using the same credentials as were successfully used above, or as ‘weblogic’. Shouldn’t it work with ‘orcladmin’?

@ fusion_cwa,

Use user cn=orcladmin

Like I said above, it does not authenticate with ‘orcladmin’. It looks as though I should uninstall everything and try again.

Hi Atul,

Q: Once I’ve ran the idmConfigTool.sh script to create the weblogic_idm in the wls.prop file, I do see an error occuring in the scripted terminal (startup of OIM): ” ”
The Oracle manual stated to use the newly generated weblogic_idm user to startup the AdminServer of WebLogic and to modify the SOA Config Username (can be founded under MBean oracle.iam – Server: wls_oim1 – Application: oim – XMLConfig – Config – XMLConfig: SOAConfig – SOAConfig). Any idea how to resolve this?

Regards,
Mike

Sorry,
the previous post of my doesn’t state the error. The error is:

I’ve read a time ago in a post that he doesn’t like the underscore in the username. Does this ring a bell?

Mike

Again, but now without brackets…

Error OIM Authentication Provider BEA-000000 oracle.iam.platform.auth.providers.wls.OIMSignatureLoginModule login() Invalid username/password

@ mvdwilden

I am not clear about your issue so could you please sum up issue, what you did and what are you trying to achieve

Hi Atul,

Sure no problem.

Chapter: 11.4.4 Creating Users and Groups for Oracle WebLogic Server:
In this chapter you’ll run a script called wls.props with the idmConfigTool in order to create the weblogic_idm user. This user will be used on several places instead of the default user weblogic.

Chapter 13.14 Enabling OIM to Connect to SOA Using the Administrative Users Provisioned in LDAP:
In this chapter you assign the user weblogic_idm to the Application-defined Mbeans–oracle.iam–Server: wls_oim1–Application: oim–XML Config–Config–XMLConfig.SOAConfig–SOAConfig
Of course we had to restart the SOA managed server for that.

Since these changes I receieve an error:
Error OIM Authentication Provider BEA-000000 oracle.iam.platform.auth.providers.wls.OIMSignatureLoginModule login() Invalid username/password

The password is not locked and is equal to the weblogic user and this works. eg log into Weblogic Adminserver.
I receive this error when I login with oamadmin on OIM self-service.
[2012-01-25T15:18:29.902+01:00] [wls_oim1] [ERROR] [] [OIM Authentication Provider] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 0000JKLEqeEF0FWFLziOOA1F7kwW0000Bm,0] [APP: oim#11.1.1.3.0] oracle.iam.platform.auth.providers.wls.OIMSignatureLoginModule login() Invalid Input username/password

I hope you can help me on this. Thx

@ mvdwilden,

One more query before I can answer

Is issue during login to OIM self service via user weblogic_idm or user oamadmin or just one of the user or with both ?

Note: oamadmin should not work and this is expected behaviour

Thanks for this great series! I deleted everything and reinstalled. I need a little clarification on one point if I may. When running OID config.sh in Part II it asks for a realm. It seems your instructions are to provide my domain (‘dc=hitachiconsulting.com,dc=com’) but your screenshots in Part III of the ODSM Data Browser does not show a domain name under Root > dc=com and your template for policystore.props does not include a domain in POLICYSTORE_SEARCHBASE. When I run idmConfigTool it says it creates PolicyROUser and RWUser but it does not prompt for a password and they are not visible in the Data Browser. Should I be using domain name in POLICYSTORE_SEARCHBASE?

@ fusion_cwa,
In my case during OID installation I used realm (domain) as dc=com and in my properties I am using domain as dc=com , searchbase as dc=com, user base as cn=Users,dc=com

If you want to keep your domain as hitachiconsulting.com then during OID installation select realm as dc=hitachiconsulting, dc=com

In my case POLICYSTORE_SEARCHBASE is dc=com

Q: When I run idmConfigTool it says it creates PolicyROUser and RWUser but it does not prompt for a password –

A: IDMConfigTool should prompt for these passwords, if not set manually using ODSM .

Thank you for this outstanding series, and for your help!

Hi,
Can you tell me the source of your snapshots. I mean which tool I should use to view that changes as you are showing in the example pics.

Thank you.

@ shehbazahmed,
I am using ODSM http://onlineappsdba.com/index.php/2009/09/30/oid-11g-oracle-directory-services-manager-odsm/ to view data in OID.

ODSM is application running on weblogic which gets installed with OID

Thanks for your quick response and for your FA installation series

Hi,

Thanks very much for your detailed explanations.

I am curious as to how the OIM/OID user account will be created in Fusion Apps. Will it be as if the user was created by logging into the Fusion Apps screens?
Can you maybe tell me the table names to look at?

Thanks!

Thanks for the response.

It just doesn’t seem like Fusion Apps recognizes the user created in OIM when you search in Fusion Apps with the Login Name/Common Name used to create the user in OIM.
But it might just be a setting that i’m missing?

I have also noticed that users created in Fusion Apps will have a FA User ID and FA Person ID in OIM. These fields may not be populated when creating the user in OIM. Will that make any difference to the Fusion Apps?

Hi Atul,

when i am running idmcongigtool getting below error.Please your help required for this issue

./idmConfigTool.sh -prepareIDStore mode=OIM input_file=oim.props
Enter ID Store Bind DN password :
The tool has completed its operation. Details have been logged to automation.log

automation.log:-
May 1, 2012 11:14:57 PM oracle.idm.automation.util.Util setLogger
WARNING: Logger initialized in warning mode
May 1, 2012 11:15:02 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler isSystemIDPresent
WARNING: Error while searching for System Base
May 1, 2012 11:15:02 PM oracle.idm.automation.impl.oim.handlers.OIMPreIntegrationHandler execute
WARNING: OIMPreIntegrationHandler : System ID is not Present

oim.props:-values

IDSTORE_HOST : orapractice1
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=com
IDSTORE_SEARCHBASE: dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=com
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP:OIMAdministrators

Hi Atul, weblogic_idm is not working for OAM login. Since OAM is not accepting this ID, all my SSO is failing.

I have followed your instructions and also checked with deployment guide http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/toc.htm#BEGIN. Coul not find the cause for the issue. Why OAM is not recognizing this ID ? I can explicitly login into wls console, EM, OIM console using this ID. But not into OAM.
Can you please help me out to enable weblogic_idm for OAM console !!

thanks
Jyothi

Atul, I wanted to use weblogic_idm to test SSO through OAM as per the guide. Can you please help me to make success. All I wanted is to test SSO login into EM, WLS Console, OIM and OAM using weblogic_idm.

The user oamadmin is working. But I am testing SSO. PLEASE help me. I am stuck now. Once it is working, I can confirm that my SSO setup is working and I can continue.

Really appreciate your valuable guidance in making this SSO successful using weblogic_idm.

As per the deployment guide weblogic_idm should work for SSO testing.

thanks
Jyothi

Atul, is there anything missing the deployment guide while setting up weblogic_idm ? I have not missed any steps and so, welbogic_idm should work for SSO testing. All I can assume is something is missing in the guide and OAM is not authenticating it. I can use this id to login into EM, WLS console and OIM. But since OAM is not authenticating who is the gatekeeper, I am unable to proceed with my testing.

Sorry to bug you Atul. Please help me.

thanks
Jyothi.

@ Jyothi,
There are lot of documentation bugs, as mentioned earlier you should use oamadmin to login (This user belongs to group OAMAdministrators and this group is mapped to Access System Administrator ) .

If you want to login to oamconsole using weblogic_idm then login to oamconsole using oamadmin and then add user weblogic_idm to Access Administrator in System Identity Store.

Check Neha’s post http://onlineappsdba.com/index.php/2011/07/11/oid-11g-integration-with-oam-11115-for-identity-store/

Thanks a lot Atul. I will follow Neha’s post and your suggestion for weblogic_idm.

One more problem I faced after integrating OIM with OAM. The OIM admin user xelsysadm is not working anymore to login into OIM.

How to enable it ? I see the id in OID and I can change the pwd from EM but when I try to login into OIM, it says ” Invalid user id”.

Please help me to enable this ID.

thanks
jyothi

Also, I can change the pwd for xelsysadm directly from OIM console by answering challenging questions. But when it tryies to auto login, it throws “Forbidden” error on the html.

I clearly noticed that after integrating OIM with OAM, this id will be disabled.

thanks
Jyothi

Atul thank you for your reply. Millions of thanks for solving my issue with xelsysadm. I am able to recover this Id as per your suggestion.

Very very thankful to you.

Jyothi

Atul, I have still issue with weblogic_idm even after adding it to Access System Administrators in OIMIDStore which is default store and configured to OID.

After adding it to Access System Administrators, I tried to do SSO into OAM but OAM is throwing RED message saying weblogic_idm is LOCKED. But it is not locked i can still login to EM, wls console explitly (without SSO).

Please help me to resolve this SSO issue with weblogic_idm. This is the only id now works for wls console, EM, OIM.

thanks
jyothi

Atul, I think this Id weblogic_idm has some issue so that at any cost OAM is not authenticating it. I think this id is not created propery by idmtool. As you said the deployment guide has lot of bugs.

Because i even added this id to OAMAdministrators group from ODSM. Still OAM is not authenticating it.

May be I will have to drop this invalid id.

thanks
Jyothi

Atul, you are great !! It worked. I have completed my SSO successfully with weblogic_idm.

Again another millions of thanks for solving this issue.

thank you
jyothi

The EDG guide wasted my many days without mentioning about the issue with locking out xelsysadm and about adding weblogic_idm to Access Administrator group. Feel like hitting my head against concrete pillar with all these missing information.

Five times I tried and confirmed that soon after integrating OIM with OAM, it disables xelsysadm that was nuisance. Also in the installation guide it is mentioned GCC lib for linux 64 bit is libstdc++.so.6 which was another blunder. It never worked with this lib. Big pain. Finally I took a chance to try with libstdc++.so.5 and it worked. So many BUGS in the documents.

thanks for saving my time.

Jyothi

Hi Atul, I have posted a question on authentcating my test application using OAM in the blog http://onlineappsdba.com/index.php/2012/01/04/10g-webgate-installation-with-oam-11g-access-server-id-port-and-webgate-id/.

I have done all necessary set up but not sure why authentication is not working. I refered couple of other videos also and looks like I did not miss anything. Can you please help me to fix this authentication issue.

Grately appreciate your help.

thanks

Hi Atul, please ignore my question. It is working now. I am not sure why it is working. Only thing is, I restarted all the servers including OHS. OAM is challenging me now to access my test application.

But one trick is still left me to figure out. After loggining in, OAM is letting every user to access my test application. I have put user xyz in the deny group but still OAM is letting xyz to see the page after xyz logs in !! I will try to figure out.

thanks
Jyothi

Hello Atul and all,

I am installing Oracle fusion Application update 2, and perform step 1.1 in this post and when I ran the step 1.2 I face the this error “Host/Port details missing in the Config file”.

Can you please let me know which config file this command (step 1.2) is checking. I am unable to resolve this issue so far now.

Thanks
Raj

Hello Atul,
Here are the content of policystore.props:

POLICYSTORE_HOST: fusion
POLICYSTORE_PORT: 3060
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc=localdomain
POLICYSTORE_CONTAINER: cn=jpsroot

Thanks
Raj

@ Raj,
When you ping fusion then do you get IP of machine where OID is running ?

If yes then try replacing fusion with IP of machine.

If this is still an issue then share list of patches you applied on OIM/OAM ORACLE_HOME

Thanks Atul for prompt response.

I will ping fusion once I am back from office, but I am confused here I think all the required patches are covered in 11.1.3 which I am installing right now.

Please do correct me on this if I am missing anything here.

Thanks
Rajeev

@ Raj,
You must use OIM/OAM 11.1.1.5 + any patches listed in release notes of Fusion Apps under IAM section

Hi Atul,
Thanks so much for sharing useful know-how with us!!
I have a question.
The steps to create identity store in RUP2 and RUP3 are slightly different from those in RUP1. In RUP2 and RUP3 docs, there is only one props file named idstore.props, while in RUP1 docs there are many props file needed. Cloud you please tell us the differences between them, and point out what kinds of attention should be paid while creating policystore and identitystore in FA RUP2 or RUP3 installation. Thanks!

Atul, can you please help me to resolve permission issue with xelsysadm. When I tried to create user from OIM console using xelsysadm, I get LDAP error code 50 NoPermissionException “Insufficient Access Rights”. I checked the roles for xelsysadm and it System Administrators role and lot more roles.

Appreciate your help.
thanks
Jyothi

Hi Atul

I am trying to configure policystore for fusion apps and I am getting following errors. Any suggestions on this please?

./idmConfigTool.sh -configPolicyStore input_file=policestore.props
Enter Policy Store Bind DN password :
Could not connect to the Directory

policystore.prop file

POLICYSTORE_HOST : fusionapps
POLICYSTORE_PORT : 389
POLICYSTORE_BINDDN: cn=orcladmin
POLICYSTORE_READONLYUSER: PolicyROUser
POLICYSTORE_READWRITEUSER: PolicyRWUser
POLICYSTORE_SEARCHBASE: dc=demo,dc=com
POLICYSTORE_CONTAINER: cn=jpsroot

Syed, please check your property file and ensure you have added correct data such as port number, host name etc.

I would give the data as :

POLICYSTORE_HOST: policystore.mycompany.com
POLICYSTORE_PORT: 3060
POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_READONLYUSER: PolStoreROUser
POLICYSTORE_READWRITEUSER: PolStoreRWUser
POLICYSTORE_CONTAINER: cn=jpsroot
POLICYSTORE_BINDDN: cn=orcladmin

where as 3060 is the ldap port ie., OID port.

Also, ensure that you ldap server is up and running.

thanks
jyothi

Thanks Jyothi it worked

The problem was with the port mentioned in the input file and I corrected it

Thank you very much for your hint (OID Port)

Hi Atul,
I am trying to configure the identity store and i got the below error. Any suggestions on this.

[weblogic@oel6 bin]$ ./idmConfigTool.sh -prepareIDStore mode=OIM input_file=/stage/preconfigOIMPropertyFile.rsp

Enter ID Store Bind DN password :
OIMPreIntegrationHandler : System ID is not Present

My property file is as follows:
IDSTORE_HOST: oel6.pria.com
IDSTORE_PORT: 3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=pria,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=pria,dc=com
IDSTORE_SEARCHBASE: dc=pria,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=pria,dc=com
IDSTORE_OIMADMINUSER: oimLDAP
IDSTORE_OIMADMINGROUP: OIMAdministrators

Any thoughts on this.

Thanks much.

Hi Atul,
I had missed on that one. Thanks for pointing it out.

I was able to create xelsysadm and oimadmin OIM users and i set the password for them but only later i found through the automation.log that the passwords i set for both the users were not updated as it was not compliant with the password policy.

I think they were updated with the default passwords. I am not sure what it would be. How do i find it? Or Is there any way to reset the passwords of xelsysadm and oimadmin now?

Thanks
Pria

@ Pria,
That means password reset failed for these accounts. You can reset password by logging to OID (using ODSM) and update password attribute for these two accounts .

On resetting password (as ldapsync is enabled) this will sync password in OIM repository (USR table)

Thanks much Atul.

Hi Atul,

Thanks for the article. It is very informative.

I was trying to automate the confiOAM and configOIM script where I don’t have to wait for the prompts for passwords for the accounts and bindDNs.
I am using the property values and parameters for the passwords as mentioned in the oracle docs but still it prompts for the passwords.

Did you or anyone had done anything like this without the scripts prompting for passwords? I know it is not secure to do so but I have a framework that would hide and insert the values during run.

Let know know if there is a workaround for those prompts.

Thanks.

@arock,
Are you talking about updating Oracle’s default scripts so that they don’t prompt for password or your own custom LDAP commands ?

In either case type the full command that is prompting for password and I’ll give you parameter to supply password with command itself .

Hi Atul,

I have implemented OIM 11g protected by OAM 10g and ODSEE.
Exactly every minute, I got error in oim.log as below:

I hope you could help me to solve this.

Sorry, I put the error message but didn’t appear.

This is the error message, and it appears every minutes!

Error BEA-000000 Error in receiving server challenge

Atul, I’m working with Haris to solve this issue. Just to provide additional information, OIM is not directly connecting with ODSEE. OIM is communicating with OAM through OIM weblogic provider in order to have SSO working for OIM. And yes, OAM user store is pointing to ODSEE.

But do you have User in OIM (USR table) same as user in ODSEE ?

Do you have Identity Asserter in OIM WebLogic Doamin for OAM .

Which document did you follow to integrate OIM with OAM/ODSEE ?

User in USR table are the same with the one existed in ODSEE, but is it not happened because of provider setting. User are created in ODSEE as a result of OIM provisioning instead.

For Identity Asserter, the setting has been deactivated. Since when we use provider and it is active, user cannot login to OIM. Account in OIM will clash with the one in ODSEE.

And I forgot about the document that I referred to.

@ Indra Permana Rusli

For Identity Asserter, the setting has been deactivated.
AK : Not sure why you did that ?

Since when we use provider and it is active, user cannot login to OIM.
AK: Do you have asserter set and depending on version of WebGate do you have ObSSOCookie or OAM_REMOTE_USER set in asserter ?

Account in OIM will clash with the one in ODSEE.
AK: Why will this clash ?

Please follow OIM-OAM integration doc and in place of OID use ODSSE

create OIM specific schema in OID
vi /stage/scripts/oim.props
IDSTORE_HOST : idm.oraclefusion4all.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=com
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oid,dc=com
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdministrators

export MW_HOME=/d01/Weblogic/FMW/
export JAVA_HOME=/stage/jdk1.7.0_80/
export PATH=$JAVA_HOME/bin:$PATH
export ORACLE_HOME=/d01/Weblogic/FMW/Oracle_IAM1
export IDM_HOME=/d01/Weblogic/FMW/Oracle_IDM1

cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
./idmConfigTool.sh -prepareIDStore mode=OIM input_file=/stage/scripts/oim.props
after running script and entering password it throw an error
OIMPreIntegrationHandler : System ID is not Present
how to resolve please help atul