Tuesday, December 24, 2013

Flat File Connector: Packaging the Connector

Description: Create a flat file connector installer package. The package should contain all the artifacts and metadata for the flat file connector (E.g. IT Resource, Process Form, Resource Object, Adapters, etc). On a new OIM environment, you will be able to install the flat file connector. After connector installation, modify the IT Resources to point to your target system accordingly.

Monday, December 23, 2013

Flat File Connector: Scheduled Tasks and Jobs

Description: To create a scheduled task in Oracle Identity Manager, you need to create an xml of the task and push that xml into the metadata store (MDS) using weblogic import utility or deployment manager. (The xml to be imported may need to be adjusted when using one or the other) After purging the cache, you will be able to create a scheduled job of the type. 

To import the metadata into MDS using weblogic import utility:

1. Modify the weblogic.properties file located in "MW_HOME/Oracle_IDM1/server/bin" directory. Given below is an example. The metadata_file parameter is not used for importing; it mentioned for completeness. The absolute path of my xml file is "/home/oracle/importMetadata/flatfile/metadata/FFLookupRecon.xml".

# Weblogic Server Name on which OIM application is running 

wls_servername=oim_server1

# If you are importing or exporting any out of box event handlers, value is oim. 
# For rest of the out of box metadata, value is OIMMetadata. 
# If you are importing or exporting any custom data, always use application name as OIMMetadata.

application_name=OIMMetadata

# Directory location from which XML file should be imported.
# Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml, 
# I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist 
# in this folder or in its sub folders. Import utility tries to recursively import all the files under the 
# from location folder. This property is only used by weblogicImportMetadata.sh

metadata_from_loc=/home/oracle/importMetadata/flatfile

# Directory location to which XML file should be exported to

metadata_to_loc=

# For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.
# This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts

metadata_files=/metadata/FFLookupRecon.xml

2. Execute weblogicImportMetadata.sh file located in MW_HOME/Oracle_IDM1/server/bin" directory. When running the script, you will be prompted to enter weblogic username, password, and admin server URL.

3. Purge the cache. You will be prompted to enter the administrator credential for OIM and the OIM service URL.

cd  /home/oracle/Oracle/Middleware/Oracle_IDM1/server/bin
./PurgeCache.sh ALL



To import metadata into MDS using deployment manager:

1. Login to the OIM console, go to the Advanced section, and click Import Deployment Manager File under System Management. 


2. Select xml to import.


Friday, December 20, 2013

Flat File Connector: Creating Lookups

The lookups given here are needed for the ICF flat file connector demo. To create, modify, or delete a lookup, use design console and navigate to the Lookup Definition under Administration.


Main Configuration Lookup
This lookup contains information regarding the connector bundle like name, version, and connector name This lookup is used by the ICF to load the connector at run time.


Lookup Name: Lookup.FF.Configuration
Lookup Type 
Group: FF
Code Key Decode Description
Bundle Name org.identityconnectors.flatfile Bundle name which contains the connector SPI implementation
Bundle Version 1.0 Bundle version
Connector Name org.identityconnectors.flatfileconnector.FlatFileConnector Fully qualified name of the connector implementation
User Configuration Lookup Lookup.FF.UM.Configuration User configuration lookup containing the information about the provisioning attribute map and reconciliation attribute map

User Configuration Lookup
This lookup contains the information about the provisioning attribute map and reconciliation attribute map lookups to be used for the connector.


Lookup Name: Lookup.FF.UM.Configuration
Lookup Type
Group: FF
Code Key Decode Description
Provisioning Attribute Map Lookup.FF.UM.ProvAttrMap Contains mapping of OIM fields with the target fields and is used during provisioning operation.
Recon Attribute Map Lookup.FF.UM.ReconAttrMap Contains mapping of OIM object fields with the target fields and is used during reconciliation operation.

Provisioning Attribute Map Lookup
This lookup is used by the ICF OIM glue during provisioning operations. This contains mapping between OIM attributes with target attributes.


Lookup Name: Lookup.FF.UM.ProvAttrMap
Lookup Type
Group: FF

Code Key Decode Description
ReturnValue __UID__ UID returned by ICF
AccountID AccountId Account ID as represented in flat file
FirstName firstName First name as represented in flat file
LastName lastName Last Name as represented in flat file
Email email Email as represented in flat file
UD_FLAT_CH~Roles Role Role as represented in flat file

General Rule for Single-valued Attributes: 
For Code Key use the field label on the Flat File parent process form.
For Decode use the name of the attribute on the target system. __UID__ is a special case handled by ICF.

General Rule for Multi-valued Attributes:
Code Key = <CHILD_TABLE_FORM>~<CHILD_FIELD_LABEL>
Decode = <TARGET_ATTRIBUTE>

Roles Lookup for Child Form
The values defined in this lookup would be used by the flat file child form. A scheduled task is created to populate this lookup.


Lookup Name: Lookup.FF.Roles
Lookup Type
Group: FF

Reconciliation Attribute Map Lookup
This section includes steps to creating the reconciliation attribute map. This map is referred by the OIM ICF glue during reconciliation.



Code: Lookup.FF.UM.ReconAttrMap
Lookup Type
Group: FF

Code Key Decode
AccountId AccountId
FirstName firstName
LastName lastName
Email email
Roles~Roles Role

General Rule for Single-valued Attributes: 
Code Key = <Recon Field Name>
Decode = <Target Attribute Name>

General Rule for Multi-valued Attributes:
Code Key = <Recon Multivalued Map Name>~<Recon Field Name>
Decode = <Target Attribute Name>

The reconciliation fields are defined in the reconciliation profile of the flat file resource object. In design console, navigate to Resource Management -> Resource Object and then search for FLATFILERESOURCE and click Object Reconciliation to view to reconciliation profile.

Flat File Connector: Reconciliation Rule

Description: Reconciliation rules are used by the reconciliation engine for entity matching. During reconciliation, when a target system record is pulled into OIM, the reconciliation engine tries to match the target system record with existing OIM user records. The matching process is typically comparing a specific OIM User profile attribute to an attribute on the target system.

Flat File Connector: Target User Reconciliation Mappings (Recon Fields To Process Form Fields)

Description: Create reconciliation mapping for the flat file connector for target user reconcilation. The mapping is an association between the reconciliation fields and the process form fields.

Process matching is determined by the reconciliation mapping key field. During a target reconciliation run, process matching rule is performed on each process form of a resource object instance (account). If no match is found, then entity matching (uses reconciliation rule which tries to match based on an attribute in the OIM User Profile with a target system attribute) is performed. 

Flat File Connector: Creating Reconciliation Profile

Description: You will be creating a reconciliation profile for the flat file connector. This consists of creating reconciliation fields and reconciliation action rules.

Reconciliation fields represents the actual fields of the target system. Association between the reconciliation fields and target system fields is determined by a lookup, namely Lookup.*.UM.ReconAttrMap.

Reconciliation action rules define the actions that must be performed based on the reconciliation rules. These action rules determine how the reconciliation events are processed (E.g. A new provisioned resource in Oracle Identity Manager is created and associated with the corresponding owner identity. The matched provisioned resource in Oracle Identity Manager is updated to reflect the current state of the target account).

Thursday, December 19, 2013

Flat File Connector: Creating Adapter and Process Tasks for Child Form

Description: You will be creating an adapter that is responsible for performing provisioning operations on the flat file connector roles child form. Then you will create process tasks for insert, delete, and update that use this adapter.

Tuesday, December 17, 2013

Flat File Connector: Creating a Child Process Form

Description: This includes steps to create a child form for the flat file connector. A target system may have attributes that can store more than one value. For example a user on the target system can have multiple email addresses. A resource object instance consist of a parent form and one or more child forms. These forms store data about the user account on the target system. Also, these forms are used during provisioning. Oracle Identity Manager handles the values of multivalued attributes via child forms.

Thursday, December 12, 2013

Flat File Connector: IT Resources

Here you will be creating a Flat File IT Resource and a Connector Server IT Resource for the Flat File Connector.

Follow the steps given below to create an IT Resource in general:
  1. Log in to Oracle Identity Manager Administrative and User Console (E.g. http://localhost:14000/oim/). 
  2. Navigate to the Advanced section and click Create IT Resource under Configuration. 


Flat File Connector: Process Definition and Process Tasks

Here you are going to create a process definition for the Flat File connector. Then you will need create several standard process tasks. For these process tasks, you will attach the adapters you've created in Flat File Connector: Creating Adapters for Parent Form section.

The Create User process task is executed whenever you provision a Flat File account to an OIM User. The Delete User process task is called whenever you revoke a user's Flat File account in OIM. The Enable User process task is called whenever you manually enable a user's Flat File account in OIM. For each attribute on the Flat File parent process form excluding Server attribute, you will need to create an update process task.
 
In designconsole, open Process Defintion under Process Management.

Tuesday, December 3, 2013

Flat File Connector: Creating Adapters for Parent Form

To create an adapter, open Adapter Factory under Devlopment Tools in designconsole. Mentioned here are important adapters for the flat file connector parent form. Also, these adapters are standard for ICF connectors.

Monday, December 2, 2013

Revoking OIM Accounts using OIM API

Version: Oracle Identity Manager 11g R2
Description: Given here is sample Java code that revokes all User accounts (resource object instances) in OIM. Modify the class variables to match your OIM environment.

Code Overview:
  1. Login to OIM remotely using the OIM Client.
  2. Get the ProvisioningService service.
  3. Connect to the OIM Schema and query the the OIU (Object Instance User Mapping) table. This table contains the account id needed for the revoke method given in the ProvisioningService ops.

Tuesday, November 26, 2013

Sample Custom Schedule Task

Version: Oracle Identity Manager 11g R2
Description: This post demonstrates how to develop a custom scheduled task.  Provided here is a sample custom scheduled task that creates a new OIM user with user data being provided through the scheduled task parameters.

Monday, November 25, 2013

Registering a Plugin using OIM APIs

Version: Oracle Identity Manager 11g R2
Description: Provided here is JAVA code to remotely register a plugin such an event handler or a scheduled task. The OIMClient and PlatformService are used. Adjust the variables (E.g. Path to zip file and OIM credentials) accordingly.

Sunday, November 24, 2013

Enabling Auto Login by Using the Boot Identity File

Version: WebLogic 10.3.5
Description: WebLogic contains out of the box scripts to start up your WebLogic server instances (E.g. startWebLogic.sh and startManagedWebLogic.sh). Whenever you run these scripts, you are prompted to enter the weblogic administrator credentials. A boot identity file contains user credentials for starting and stopping an instance of WebLogic Server. An Administration Server can refer to this file for user credentials instead of prompting you to provide them. The administration server is used as an example here.

Saturday, November 23, 2013

Automating WebLogic Server Instances Startup and Shutdown in Linux

Description: This post contains scripts to automate start up and shutdown Oracle Identity Manager managed server and WebLogic Admin server in a Linux environment. Before using these scripts, you need to configure Node Manager.
Start up Order:
  1. Start Node Manager.
  2. Connect to Node Manager using WebLogic Scripting Tool (WLST).
  3. Have Node Manager start up your WebLogic server instances.
 Shutdown Order:
  1. Connect to Node Manager using WebLogic Scripting Tool (WLST).
  2. Shutdown WebLogic Server instances.
  3. Terminate Node Manager.

Tuesday, November 19, 2013

Purging the Cache

Version: Oracle Identity Manager 11g R2
Description: The PurgeCache utility can be used to purge all elements in the cache.

Using OIM 11g R2 API

Setup and Configuration
Copy the "IDM_HOME/server/client/oimclient.zip" to your computer and unzip. This directory is referred to as OIM_CLIENT_HOME which include the necessary jars and configuration files needed to use the OIM client. Generate the wlfullclient by executing:

java -jar MW_HOME/modules/com.bea.core.jarbuilder_1.7.0.0.jar

Copy wlfullclient.jar into the OIM_CLIENT_HOME/lib directory.

Required Jars for Java Project
  • commons-logging  (Inside oimclient.zip) 
  • spring.jar (Inside oimclient.zip)
  • oimclient.jar (Inside oimclient.zip) 
  • wlfullclient.jar (To be generated)
  • jrf-api.api   (MW_HOME/oracle_common/modules/oracle.jrf_11.1.1/jrf-api.jar) 

Code Example
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.login.LoginException;
import oracle.iam.identity.exception.UserSearchException;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.authz.exception.AccessDeniedException;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;

/**
 * Uses the OIMClient to access services in Oracle
 * Identity Manager.
 */

public class OracleIdentityManagerClient 
{
    public static final String OIM_HOSTNAME = "localhost";
    public static final String OIM_PORT = "14000";
    public static final String OIM_PROVIDER_URL = "t3://"+ OIM_HOSTNAME + ":" + OIM_PORT;
    public static final String OIM_USERNAME = "xelsysadm";
    public static final String OIM_PASSWORD = "Password1";
    public static final String OIM_CLIENT_HOME = "/home/oracle/Desktop/oimclient";
    public static final String AUTHWL_PATH = OIM_CLIENT_HOME + "/conf/authwl.conf";

    public static void main(String[] args) 
    {
        OIMClient oimClient = null;

        try 
        {
            //Set system properties required for OIMClient
            System.setProperty("java.security.auth.login.config", AUTHWL_PATH);
            System.setProperty("APPSERVER_TYPE", "wls");  

            // Create an instance of OIMClient with OIM environment information  
            Hashtable env = new Hashtable();
            env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, "weblogic.jndi.WLInitialContextFactory");
            env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_PROVIDER_URL);
            oimClient = new OIMClient(env);

            // Login to OIM with the approriate credentials
            oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());

            // Lookup a service
            UserManager usermgr = oimClient.getService(UserManager.class);
  
            // Call a method from a service
            List<User> users = usermgr.search(new SearchCriteria("User Login", "*", SearchCriteria.Operator.EQUAL), new HashSet(), new HashMap());
            System.out.println(users);
        }  

        catch (LoginException ex) 
        {
            Logger.getLogger(OracleIdentityManagerClient.class.getName()).log(Level.SEVERE, null, ex);
        }

        catch (AccessDeniedException ex)
        {
            Logger.getLogger(OracleIdentityManagerClient.class.getName()).log(Level.SEVERE, null, ex);

        } 

        catch (UserSearchException ex) 
        {
            Logger.getLogger(OracleIdentityManagerClient.class.getName()).log(Level.SEVERE, null, ex);
        }

        finally
        {
            // Logout user from OIMClient
            if(oimClient != null)
                oimClient.logout();
        }
    }
}

Monday, November 18, 2013

Automating Oracle Database Startup and Shutdown in Linux

Operating System: Oracle Linux 6.3
Database Version: 11.2.0.1.0

Given here is a bash script to automate the start up and shutdown of an Oracle database. The bash script calls out of the box Oracle DB scripts. Your Oracle database instance and the listener are started/stopped when the bash script is executed.

Sunday, November 17, 2013

Close Reconciliation Events Through OIM API

Version: Oracle Idenity Manager 11g R1
Description: Reconciliation events are created when you run target user reconciliation. On a target system with a large number of accounts, it is likely to have events that are ophran accounts, which are users who does not exist in OIM but exists on the target system, and events that are in pending state. When you view these reconcilation events through the OIM console, you have the choice to manually link to an OIM user or close the event. Given here is code to close all the reconciliation events that were not linked.

Disabling a Schedule Task

Version: Oracle Identity Manager 11g R1
There are several ways to disable a schedule task from running. Here are several ways to do so:
  1. OIM API
  2. Manually disable through the OIM console
  3. Modify the schedule task metadata
  4. Disable the scheduler from running

Wednesday, November 13, 2013

How to Install OIM 11.1.2.1.0

This guide will show you how to install Oracle Identity Manager 11g R2 Patch Set 1 (PS1) in an Oracle Linux 6 (64-bit) environment.

Documentation References:
System Requirements and Specifications for OIAM

Identity and Access Management Documentation Library


Overview
  1. Environment Setup
  2. Oracle Database 11g R2 Installation
  3. JRockit Installation
  4. OIM 11.1.2.1 Schema Creation
  5. WebLogic 10.3.6 Installation
  6. SOA 11.1.1.6.0 Installation
  7. Apply Mandatory SOA Patches
  8. IDM 11.1.2.1 Installation
  9. Apply More Patches 
  10. Creating WebLogic Domain
  11. Configure Database Security Store for WebLogic Domain
  12. Configure Oracle Identity Manager 11.1.2.1.0
  13. Post Installation
Environment Setup
  • Create an oracle user in Linux. Use this user for your installations.
  • Modify your "/etc/hosts" file to include IP address and host name mapping.
  • The minimum Open File Limit should be 4096. Make the change in "/etc/security/limits.conf". 
    #Example
    * soft  nofile  4096
    * hard  nofile  65536  
  • Install the necessary packages.
    binutils-2.20.51.0.2-5.28.el6
    compat-libcap1-1.10-1
    compat-libstdc++-33-3.2.3-69.el6 for x86_64
    compat-libstdc++-33-3.2.3-69.el6 for i686
    gcc-4.4.4-13.el6
    gcc-c++-4.4.4-13.el6
    glibc-2.12-1.7.el6 for x86_64
    glibc-2.12-1.7.el6 for i686
    glibc-devel-2.12-1.7.el6 for i686
    libaio-0.3.107-10.el6
    libaio-devel-0.3.107-10.el6
    libgcc-4.4.4-13.el6
    libstdc++-4.4.4-13.el6 for x86_64
    libstdc++-4.4.4-13.el6 for i686
    libstdc++-devel-4.4.4-13.el6
    libXext for i686
    libXtst for i686
    openmotif-2.2.3 for x86_64
    openmotif22-2.2.3 for x86_64
    redhat-lsb-core-4.0-7.el6 for x86_64
    sysstat-9.0.4-11.el6
    uln-internal-setup-1.0.1-1.el6.noarch.rpm 
  • Change the value of SHMMAX to 4294967295 or higher by including the following line in /etc/sysctl.conf:
    kernel.shmmax = 4294967295 
Oracle Database 11g R2 Installation
Follow the guide given here.

JRockit Installation
Follow the guide given here.
Do not use JRockit 1.6.0_45 because you will get an error when trying to configure the database keystore. Read “Error Occurred While creating OPSS Security Store in OIM 11.1.2.1 Install (Doc ID 1555444.1)” about the known issue. Below is the error message you will get when trying the create the keystore:

Info: Data source is: opss-DBDS
Problem invoking WLST - Traceback (innermost last):
File "/u01/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py", line 896, in ?
TypeError: cannot concatenate 'str' and 'NoneType' objects

OIM 11.1.2.1 Schema Creation
Version: Repository Creation Utility 11.1.2.1.0 (32-bit)
File: V37476-01.zip

Extract the file and change the JRE_DIR variable in the "rcuHome/bin/rcu" script to point to your java jre location. On the "Select Components" step, select Oracle Identity Manager. The following schemas are created: MDS, OPSS, OIM, SOAINFRA, and ORASDPM.


WebLogic 10.3.6 Installation
File: V29856-01.zip
Execute the jar file:
java -jar wls1036_generic.jar

SOA 11.1.1.6.0 Installation
Files:
V29672-01_1of2.zip
V29672-01_2of2.zip

After extracting both files, there should be five Disk directories. Navigate to the "Disk 1" directory and execute the runInstaller script specifying your JRE location.  
./runInstaller -jreLoc /home/oracle/java/jrockit64/jre

Apply Mandatory SOA Patches
Refer to the Release Notes under section "2.2.2 Mandatory Patches Required for Installing Oracle Identity Manager" for full list of mandatory patches. Read the README in each patch for additional information.

Files:
p16385074_111160_Generic.zip
p13973356_111160_Generic.zip
p14196234_111160_Generic.zip
p16366204_111160_Generic.zip

Note: Make sure the patches are for SOA 11.1.1.6.0. You will get a conflict issue if you try to apply a different SOA patch version (Other patches might get deleted if you try to proceed).

To apply a patch: 
  1. Temporarily set ORACLE_HOME and include SOA OPatch to PATH.
  2. Extract a patch. Navigate into the directory and execute "opatch apply". Only for patch 16385074, navigate to opatch/16385074 and then apply.
#Include the SOA OPatch in Path
export PATH=/home/oracle/Oracle/Middleware/Oracle_SOA1/OPatch:$PATH
#Set the ORACLE_HOME to the SOA Directory
export ORACLE_HOME=/home/oracle/Oracle/Middleware/Oracle_SOA1

#To check the patches applied
opatch lsinventory

IDM 11.1.2.1 Installation
Files:
V37472-01_1of2.zip
V37472-01_2of2.zip

After unzipping the two files, three Disk directories are created. Navigate to the "Disk 1" directory and execute the runInstaller script specifying your JRE location.
./runInstaller -jreLoc /home/oracle/java/jrockit64/jre

Apply More Patches
Refer to the Release Notes under section "2.2.2 Mandatory Patches Required for Installing Oracle Identity Manager" for full list of mandatory patches.

#IDM Oracle Home
export PATH=/home/oracle/Oracle/Middleware/Oracle_IDM1/OPatch:$PATH
export ORACLE_HOME=/home/oracle/Oracle/Middleware/Oracle_IDM1

#Common Oracle Home
export PATH=/home/oracle/Oracle/Middleware/oracle_common/OPatch:$PATH
export ORACLE_HOME=/home/oracle/Oracle/Middleware/oracle_common
Files:
p16400771_111160_Generic.zip
p16472592_111160_Generic.zip
p16513008_111210_Generic.zip

16472592: Oracle WebCenter Portal
* opatch/16472592 : Applicable for ORACLE_HOME [oracle_common]

16400771: Oracle Platform Security Services
Applicable for ORACLE_HOME [oracle_common]

16513008: Oracle Access Manager
Applicable for ORACLE_HOME [Oracle_IDM1]

Creating WebLogic Domain
Navigate to /home/oracle/Oracle/Middleware/oracle_common/common/bin and run command: ./config.sh
Select Oracle Identity Manager - 11.1.2.0.0.
The following are automatically selected:
Oracle SOA Suite
Oracle Enterprise Manager
Oracle Platform Security Service
Oracle WSM Policy Manager
Oracle JRF WebServices Asynchronous services
Oracle JRF

Configure Database Security Store for WebLogic Domain

#Create OPSS Database Keystore
#[mw_home]/oracle_common/common/bin/wlst.sh [iam_home]/common/tools/configureSecurityStore.py -d [domaindir] -c IAM -p [opss_schema_password] -m create
/home/oracle/Oracle/Middleware/oracle_common/common/bin/wlst.sh /home/oracle/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /home/oracle/Oracle/Middleware/user_projects/domains/oim_domain -c IAM -p Password1 -m create

#Validate OPSS Database Keystore
#[mw_home]/oracle_common/common/bin/wlst.sh [iam_home]/common/tools/configureSecurityStore.py -d [domaindir] -m validate
/home/oracle/Oracle/Middleware/oracle_common/common/bin/wlst.sh /home/oracle/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /home/oracle/Oracle/Middleware/user_projects/domains/oim_domain -m validate

Configure Oracle Identity Manager 11.1.2.1.0
Start WebLogic Administrator Console and SOA. The startup scripts are located in "MW_HOME/user_projects/domains/DOMAIN_NAME/bin".

#Start WebLogic AdminServer
./startWebLogic.sh

#Start SOA
./startManagedWebLogic.sh soa_server1

Navigate to MW_HOME/Oracle_IDM1/bin and run the config.sh script.

Post Installation
Shut down all servers and apply patch 16478722 to oracle common home.
File: p16478722_111160_Generic.zip

Tuesday, November 12, 2013

How to Check OIM Schema Version

To find out the your schema version, execute the following query:
select * from schema_version_registry;

Saturday, November 9, 2013

Flat File Connector: Creating a Process Form

This guide demonstrates how to create a process form. The flat file connector provided by Oracle is used as an example.

A process form stores identity attributes data from the target resource. During a provisioning process, data from the process form flow out to the target resource. On reconciliation, Oracle Idenity Manager reads from the target resource and stores the data in a process form.

Flat File Connector: Creating a Resource Object

This guide demonstrates how to create a resource object. The flat file connector provided by Oracle is used as an example.

A resource object is a virtual representation of an account on a target system. If an OIM user has an account on the target system and reconciliation is ran, the user gets a resource object instance associated with it.

Flat File Connector: Creating IT Resource Type

This guide demonstrates how to create an IT resource type. The flat file connector provided by Oracle is used as an example.

IT resource types are templates for the IT resource definitions that reference them. After defining an IT resource type, you will be able to create an instance of an IT resource of the new type.

Wednesday, November 6, 2013

ls Command: List Contents of Directory

Summary
The ls command list all files in a directory. This command is used often when navigating through your file system through the terminal.

SYNOPSIS
ls [OPTION] [FILE]

When you invoke the command with no arguments, the files in the current directory is listed.

Options
Given here are common options used often. You can combine options together.
-a    List all entries. For example, files that begin with a period (.) are listed.

-l    List in long format.
      1st column: File Type and file permissions for users, group, and others.
      2nd column: Number of links
      3rd column: File owner
      4th column: Group owner
      5th column: File size
      6th column: Last modification date
      7th column: Name of file
      Example: -rw-rw-r--  1  oracle  oracle  6880  Oct 21 23:10  README

-h   Print file sizes in human readable format (e.g. 8.3M, 1.1K, etc)

-R   Recursively list sub-directories encountered.

-F   Appends a character  revealing the nature of a file.
      Regular files have no suffix. 
      *   executable file
      @  symbolic link
      /   directory
      =  sockets

-t   Sort by time modified. Latest first.

-i   Print the i-number

-u   Use time of last access instead of last modification.

-1   Force one-entry-per-line output format.

Sunday, November 3, 2013

Oracle DB: Get All the Foriegn Keys References on a Specific Column

At times it is useful to know all the foreign keys of a specific table column. The query provided here will give you the table name that has the foreign key, the name of the foreign key constraint, the table and column the foreign key reference to. Change the value for ucc.column_name to the column name you want all the foreign key references of.

SELECT
   uc.table_name as foreign_table,
   uc.constraint_name as foreign_constaint_name,
   ucc.table_name,
   uc.r_constraint_name,
   ucc.column_name
FROM
   user_constraints uc,
   user_cons_columns ucc
WHERE
   uc.r_constraint_name = ucc.constraint_name AND
   uc.constraint_type = 'R' AND
   ucc.column_name = 'USR_KEY';

Thursday, October 17, 2013

Enable OpenLDAP Logs

Summary: This posts demonstrates how to enable logging for OpenLDAP. Click here for more information about the log levels. The example here sets the log level to 256, which log connections, operations, and results.

Thursday, October 10, 2013

How Give a User sudo Power?

This post demonstrates how to add a user to the sudoers list on a Linux Operating System.

1. Open a terminal and login as the root user.
su root

2.Open  the "/etc/sudoers" file or execute "visudo".
vi /etc/sudoers
visudo #The same as the command above

3. Add a new line below the root user.
Format: <username> ALL=(ALL)       ALL
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
oracle ALL=(ALL) ALL

4. Save the file. Now your user should have root privileges.
sudo [command]

Tuesday, September 10, 2013

Set a Process Task to Trigger off Another

Version: Oracle Identity Manager 11g
Description: This post provides an example to trigger a process task off another process task. All changes are done through OIM Design Console. For a process task, you are able to assign dependent tasks and preceding tasks. Preceding tasks must have a completed status before the current process is triggered. Dependent tasks are triggered when the current process has a completed status.

Tuesday, August 6, 2013

Installing and Configuring a Java Connector Server

Original Instructions: https://wikis.oracle.com/display/IdentityConnectors/Connector+Servers#ConnectorServers-
Description: A connector server is required when a connector bundle is not directly executed within your application. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.

Tuesday, July 9, 2013

Implementing Target Delete Reconciliation

Version: Oracle Identity Manager 11.1.1.5.0
Description: This article demonstrates how to implement a target delete reconciliation using the OIM APIs. The methods from oracle.iam.reconciliation.api.ReconOperationsService are used . The code given here can be further developed to become a schedule task. The Database Application Table Connector is used here. Follow the guide given here to setup the connector in OIM.

Steps for Implementation:
1. Get all the users from your target system along with their attributes, mainly the ones for OIM account rule matching. Users data must be put into an array of hashmaps with each hashmap containing a single user's data. (Key= attributeNameInTarget, Value=attributeValueInTarget)
2. Get the ReconOperationsService service. Call methods from ReconOperationsService.
3. provideDeletionDetectionData(java.lang.String objectName, java.util.Map[] paoAccountDataList)
4. getMissingAccounts(java.lang.String objectName, java.util.Set accountsFound)
5. deleteDetectedAccounts(Thor.API.tcResultSet poDetectedAccounts)
6. processReconciliationEvent(long rceKey)

Saturday, July 6, 2013

SQL Query to get User Accounts Statuses

Version: Oracle Identity Manager 11.1.1.5.0
Description: Given here is a SQL query to get the statuses of each user's accounts (resource object instances).

Friday, July 5, 2013

Updating OIM Process Form of a Resource Object Instance Through SQL

Version: Oracle Identity Manager 11.1.1.5.0
Description: Given here is an SQL query to update every outdated Resource Object Instance's process form. A sample usage scenario is when you have users who have been provisioned to a target system (E.g. Active Directory, OpenLDAP) and the target accounts are already replicated in OIM. These target accounts are represented as Resource Object Instances in OIM , and the process form holds the data. Later you decide to add a new attribute on to the process form of a specific resource object and update it to the latest version through design console. You'll notice that on existing resource object instances process forms the new attribute does not appear. To fix that, execute the query given here. You can also use OIM's Form Version Control Utility to the same.

Tuesday, July 2, 2013

Adding OIM User Defined Attribute through the OIM API

Version: Oracle Identity Manager 11g R1
Description: This post contains java code to add OIM User Profile attribute using the OIM API. The ConfigManager class contains the method to add User Defined (UDF) attribute. The code below is only for demonstration purposes for adding a string attribute. Dealing with other attribute types may require setting additional properties. Also, the value of an attribute property may be dependent on other property values. WARNING: Use at your own risk. This OIM API does some data validation. Creating an invalid attribute can cause a lot of problems (E.g. An error message dialog will prevent you from viewing any OIM user's profile).  If you happen to create a bad attribute, most of the time deleting the attribute will fix the problem.

Wednesday, June 26, 2013

OIM Schema Password Expiration

Version: Oracle Database 11g R2 and Oracle Identity Manager 11g
Description: By default your OIM schemas has a 90 day password expiration, and eventually you would have to change your password. The OIM managed server would fail to start if your schema password has already expired. This post demonstrates one way to change your schemas passwords when your schemas passwords have already been expired.

Monday, June 10, 2013

Monitoring OIM logs

Version: Oracle Identity Manager 11g R1
Description: This guide demonstrates how to monitor your logs. You can view your logs from the command-line, Oracle Enterprise Manager Fusion Middleware Control Console, or WebLogic Scripting Tool (WLST). I'll discuss the advantages and disadvantages of these utilities.

Saturday, June 8, 2013

BI Publisher 11g: Enable Local Superuser

Version: Oracle BI Publisher 11.1.1.5.0
Description: This post shows you how to enable a local superuser for BI Publisher.

Oracle BI Publisher 11g Enterprise Installation on Linux

Version: Oracle Business Intelligence 11.1.1.5.0 (64-Bit)
Description: A guide that demonstrates how to install Oracle BI Publisher on Oracle Linux 6.3. This will only go through the enterprise installation, which is an all in one package install (includes WebLogic installation, WebLogic domain creation, and BI installation and configuration).
Prerequisites:
  1. Static IP Address (Must also be included in the /etc/hosts file)
  2. JRockit Installation
  3. Oracle Database 11g

Wednesday, June 5, 2013

OIM 11g R1: Changing OIM Session Timeout

Version: Oracle Identity Manager 11g R1
Description: This guide shows you how to configure the session timeout for the OIM web interfaces. When a user stays idle in the OIM console for a certain amount of time, one of two alert dialog boxes may appear. The first alert dialog box is a two-minute warning before the session times out. The second alert dialog box is a page expiration message indicating session has expired.

Tuesday, June 4, 2013

Post-Process EventHandler Example: DecryptedPasswordInProfile

Version: Oracle Identity Manager 11g R1
Description: An example of a custom post-process event handler. This plugin is only for demonstration purposes.  The orchestration object parameter in the execute method contains useful information you may need to utilize. Here are several orchestration methods to make note of for post-process:
getParameters() : This method only gets the new changes made.
getOperation(): Gets the operation that is being performed. Some operations are given below:
  • CREATE = whenever a new user is being created
  • CHANGE_PASSWORD = whenever the user 's password is changed
  • MODIFY = whenever any changes are being made to a user's OIM Profile
getInterEventData(): contains the current state and new state of the entire user's profile. You can even determine the user who is making the changes with the "usr_updateby" attribute  in the new state of the user's profile.

You can find the final plugin package and the source code here.

Summary for Deploying the Plugin
1. Create jar file, plugin.xml, and metadata xml.
2. Create a zip with the following structure:
[NameOfPlugin].zip
     |____plugin.xml
     |____lib/            
           |_____[yourJarFile].jar

3. Modify the ant.properties file located in "[IDM_HOME]/server/plugin_utility".
Then register your plugin by executing "ant -f pluginregistration.xml register".

4. Modify the weblogic.properties located in "[IDM_HOME]/server/bin".
Then push the metadata into MDS by using the weblogicImportMetadata.sh utiltiy.

5. Purge the cache. The utility is in "[IDM_HOME]/server/bin".
./PurgeCache.sh ALL

Wednesday, May 29, 2013

Start WebLogic Servers by Node Manager in WLST

Version: WebLogic 10.3.5
Description:  The WebLogic Scripting Tool (WLST) can be utilized to establish a connection to Node Manager. Within the Node Manager session in WLST, you can execute out-of-the-box WLST commands to start the managed servers or the admininstrator server.

Sunday, May 19, 2013

OIM 11g R1: Getting OIM User Decrypted Password

Version: Oracle Identity Manager 11g R1
Description:
If you look at the OIM.USR table, you'll notice that the password column is encrypted. There are several ways to get the password decrypted. I'll be showing you how to get the decrypted password by querying from the OIM database using the tcDataBaseClient. This requires you to set the client handle with the OIMClient object. The user who is logged in for the OIMClient needs to be an End-User Administrator in order to use the tcDatabaseClient. The “Design Console Access” attribute on the OIM User Profile determines whether a user is an End-User or an End-User Administrator. Below is a java application to get all the OIM users' passwords in plain text.  Note: You can also query the OIM.PCQ table to get users' challenge questions and answers.

Thursday, April 4, 2013

Sample WLST Script To Start WebLogic Servers

Version: WebLogic 10.3.5
Description:
Given here is a sample python script that starts up Node Manager, OIM managed server, SOA managed server, and  Administration server.
This python script uses WLST commands and requires WLST to invoke it.

Thursday, March 28, 2013

Modifying JVM Heap Size for WebLogic Server Instances

Version: WebLogic 10.3.5
Description: To improve OIM performance, it may be necessary to increase the JVM Heap size for the WebLogic servers.

Tuesday, March 26, 2013

Tuning Oracle Database 11g for OIM 11.1.1

Version: Oracle Identity Manager 11g R1
Description: I will follow the sample configurations given in the Oracle Administrator's Guide for Oracle Identity Manager. Performance tuning varies from one environment to another so adjust the configuration accordingly. You can use the Oracle Database out of the box utilities to monitor your database performance. You must have the SYS credentials or privileges to make these changes. The database must be restarted after making these changes. Shutdown all WebLogic server instances when making these changes. Only have the Oracle database up.

Wednesday, March 20, 2013

How to Use Grep Command

Description
The grep command searches an input for the regular expression (pattern of characters) that you specify and displays every line that contains the pattern. Your input can be one or more files or an output of a command using pipes.

Command Syntax
grep [options] PATTERN [file(s)]

OPTIONS
-n display line number of match
-i case-insensitive 
-l list only filenames that contain a match, once each
-w expression is search for as a word

Note: If your regular expression contains a special character, you must enclose it with single quotation marks because these special characters may have a special meaning to your shell. The single quotes prevents the shell from interpreting them. If you are searching against multiple files that contains the regular expression, the name of the file will be displayed in the output.

Friday, March 8, 2013

How to Install OIA 11.1.1.5.0

Description: This guide will show you how to install Oracle Identity Analytics 11.1.1.5.0.

Prerequisites
The following items are required to install OIA. To see the various databases and application servers OIA supports, checkout out the OIA Certification Matrix.

Obtaining the Software
Name: Oracle Identity Analytics (11.1.1.5.0)
Download: http://www.oracle.com/technetwork/middleware/id-mgmt/oid-11g-161194.html
File: ofm_oia_generic_11.1.1.5.0.zip

Wednesday, March 6, 2013

Generating Configuration and Key Files For Node Manager

Version: WebLogic 10.3.5
Description: This post shows you how to generate a user configuration file and an associated key file for Node Manager. The user configuration file contains an encrypted username and password. The key file contains a secret key that is used to encrypt and decrypt the username and password. When connecting to Node Manager through WLST, you can specify the location of these files instead of supplying the Node Manager's username and password in plain-text.

Tuesday, March 5, 2013

Connecting to a WebLogic Data source from Java

Version: WebLogic 10.3.5
Description: You can use Java to connect to any data source defined in WebLogic. An advantage to this is you do not need the database user credential hard-coded in your Java application. All you need to supply in order to establish a connection in your application are the name of the data source and the provider URL.
Requirements: Remote JDBC must be enabled if you are executing the code remotely. The instructions to enable remote JDBC are commented in the code. The data source you are using must be defined in WebLogic. Click here to learn how create a data source in WebLogic Administration Console.

Configuring Node Manager for WLST

Version: WebLogic 10.3.5
Description: The WebLogic Scripting Tool (WLST) is a command-line scripting interface that you can use to monitor and manage WebLogic Server instances and domains. You can use WLST as a Node Manager client to start and stop your server instances. For this guide, I will show you how to configure Node Manager for WLST. Before proceeding. make sure you have configured node manager. If you have not, go to  "Configuring and Starting Node Manager" guide. Have node manager and the WebLogic Admin Server running.

Monday, March 4, 2013

Query OpenLDAP from Java using JNDI

Description: Uses Java Naming and Directory (JNDI) to connect to OpenLDAP in a Java application and query entries.

Configuring and Starting Node Manager

Version: WebLogic 10.3.5
Description: This guide will show you how to configure and start node manager. After completing this guide, you will be able to start and shutdown your managed servers through the Weblogic Administration console.

Monday, February 25, 2013

Exporting Metadata from MDS and Importing Metadata into MDS

Version: Oracle Identity Manager 11g R1
Description: This post demonstrates how to export and import metadata. This is useful for making system configuration changes in OIM as well as pushing up plugins. As an example, I will export the OIM main configuration file from OIM. MDS Schema and import a modified OIM main configuration file into OIM.MDS. The changes made in the OIM main configuration file would disable reloading of adapters and plugin.

References
MDS Utility Guide: http://docs.oracle.com/cd/E17904_01/doc.1111/e14309/utils.htm
Example: http://docs.oracle.com/cd/E17904_01/doc.1111/e14308/tuningforappserver.htm#CHDFHAGI

Sunday, February 24, 2013

How to Create a JDBC Generic Data Sources in WebLogic 10.3.5

Version: WebLogic 10.3.5
Description: This post demonstrates how to create a generic data source in your WebLogic domain using the WebLogic Administration console. MySQL database is used as example.
References: http://docs.oracle.com/cd/E21764_01/web.1111/e13737/jdbc_datasources.htm#i1204742

Sunday, February 17, 2013

Connecting to OIM Schema Through the OIMClient In Java

Version: Oracle Identity Manager 11g R1
Description: A Java application to demonstrate how to connect to your OIM Schema provided that you have an OIMClient. The user who is logged in for the OIMClient needs to be an End-User Administrator in order to use the tcDatabaseClient. The “Design Console Access” attribute on the OIM User Profile determines whether a user is an End-User or an End-User Administrator. Accessing the OIM Schema through this method does not need the database user credential.

Tuesday, February 12, 2013

Patching OIM 11.1.1.5.x to 11.1.1.5.6

Description
This post demonstrates how to patch OIM from 11.1.1.1.5 to 11.1.1.5.6. Patches are cumulative. For example, the OIM 11.1.1.5.6 patch contains the bug fixes from OIM 11.1.1.5.0 - 11.1.1.5.5 patches. You can download the patch at My Oracle Support

Patch Number: 14760839
Bundle Name: Oracle Identity Management Suite BP patch of 11.1.1.5.2
The bundle contains patches for the following products:
- OIM 11.1.1.5.6
- OAM 11.1.1.5.5
- OES 11.1.1.5.4
- OAAM 11.1.5.2

Our main focus will be the patch for OIM 11.1.1.5.6. The other patches do not need to be applied if you are only patching OIM.

Wednesday, February 6, 2013

Using Git and GitHub on Linux

Description: This guide will go over the basics of git and the use of GitHub to version your projects.

Friday, February 1, 2013

OIM 11g Deploying a Custom Event Handler

Version: Oracle Identity Manager 11g R1
Description: This guide demonstrates the process of setting up and deploying a custom event handler.  It also shows you how to remove an event handler. Custom event handlers can be developed to extend the functionality of OIM User Management Operations.

Saturday, January 26, 2013

Installing JD-GUI on Linux

JD-GUI is a Java decompiler. This utility allows you to look at Java source codes. You can obtain the software here.
File: jd-gui-0.3.5.linux.i686.tar.gz

Install the following packages needed for JD-GUI.
sudo yum install libXxf86vm libcanberra-gtk2.i686 PackageKit-gtk-module.i686 gtk2-engines.i686 libXxf86vm.i686

Unpack "jd-gui-0.3.5.linux.i686.tar.gz" and place "jd-gui" and "open-in-jd-gui.sh" into specific directories.
tar -xvf jd-gui-0.3.5.linux.i686.tar.gz
sudo mv jd-gui /usr/bin
mv contrib/Nautilus\ File\ Manager\ Integration/open-in-jd-gui.sh ~/.gnome2/nautilus-scripts/

To make jd-gui the default application when opening a ".jar" or ".class" file, follow the given steps below.
  1. Right click on any Java ".class" or ".jar" .
  2. Click properties.
  3. On the "Open With" tab, click add.
  4. On the "Add Application" window,  select "Use a custom command" and type "jd-gui". Click Add.
  5. Select  "jd-gui" as the default application.





Wednesday, January 23, 2013

Installing and Configuring DBAT Connector for MySQL in OIM

Version: Oracle Identity Manager 11g R1
Description: This section shows how to install and configure the Oracle "Database Applications Table" (DBAT) connector in OIM. The DBAT connector uses Generic Technology Connector (GTC) framework. MySQL database is used to demonstrate the use of the DBAT connector.

Sunday, January 20, 2013

Using the OIM 11g R1 API

Version: Oracle Identity Manager 11g R1
Description: This guide shows how to set up and use the Oracle Identity Manager 11g R1 API in a Java application.

Saturday, January 19, 2013

Installing and Configuring OID Connector for OpenLDAP in OIM

Version: Oracle Identity Manager 11g R1
Description: This guide will show you how to integrate and configure OpenLDAP into OIM. The Oracle Internet Directory (OID) connector is utilized for the integration. The OID connector uses Identity Connector Framework (ICF).

Friday, January 18, 2013

Installing OpenLDAP on Linux

Description: A guide to install and configure OpenLDAP on Oracle Linux 6 (64-bit). This can be applied to Linux in general. Several clients may be used to access your data such Apache Directory Studio and the command-line.

Thursday, January 17, 2013

Uninstalling an OIM Connector

Version: Oracle Identity Manager 11g R1
Description: This guide explains how to remove an OIM connector excluding any GTC connector. Microsoft Active Directory 11.1.1.5.0 is used here as a demonstration. Refer to the oracle document for more details http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/conn_mgmt.htm. Refer to document for special cases of removing a connector (E.g. A connector with access policy). WARNING: Do not use in a production environment.

Installing an OIM Connector on 11g R1

Version: Oracle Identity Manager 11g R1
Description: This guide applies to all supported Oracle Identity Manager Connector. You can found all these connectors here. The Database Applications Table will be used for this post as an example.

Wednesday, January 16, 2013

Configuring Oracle SQL Developer for MySQL

Description: This demonstrates how to access your MySQL database from Oracle SQL Developer, which is a database client. This requires having the MySQL driver and configuring Oracle SQL Developer to point to that driver.

Installing MySQL on Linux

Description: A guide to install and configure MySQL on Linux. Installation and configuration is done through command-line.

Thursday, January 10, 2013

Installing Java on Linux 64-Bit and Enabling for Mozilla Browser

Description: This guide shows how to install Java on Linux, and configure Mozilla browser to enable Java.

Wednesday, January 9, 2013

Patching OIM 11.1.1.5.0 to 11.1.1.5.3

This guide can also be applied to OIM 11.1.1.5.1 or 11.1.1.5.2.

Obtaining the Patches
You will need the following patches:
  1. Patch Name: 13106312
    Product: Oracle SOA Platform
    Release: 11.1.1.5.0

  2. Patch Name: 13704894
    Product: Oracle Identity Manager
    Release: 11.1.1.5.0

Monday, January 7, 2013

Patching OIM 11.1.1.5.0 to 11.1.1.5.2

This guide can also be applied to OIM 11.1.1.5.1.

Obtaining the Patches
You will need the following patches:
  1. Patch Name: 13106312
    Product: Oracle SOA Platform
    Release: 11.1.1.5.0

  2. Patch Name:13399365
    Product: Oracle Identity Manager
    Release: 11.1.1.5.0

  3. Patch Name:13684913
    Product: Oracle Identity Manager
    Release: 11.1.1.5.2

Sunday, January 6, 2013

Post-Installation Tasks For OIM 11.1.2

Important URLs
#WebLogic Admin Console
http://localhost:7001/console
Admin User: weblogic

#SOA Infrastructure
http://localhost:8001/soa-infra
Admin User: weblogic

#Oracle Identity Manager System Administration
http://localhost:14000/sysadmin
Admin User: xelsysadm

#Oracle Identity Manager Self Service
http://localhost:14000/identity
Admin User: xelsysadm

Starting and Stopping the Servers
Note: Once the WebLogic Administration is running, you can go the the WebLogic Administration Console to start/stop the servers.

#Start/Stop WebLogic Administration Server
cd /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/bin
./startWebLogic.sh
./stopWebLogic.sh

#Start OIM Managed Server
cd /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/bin
./startManagedWebLogic.sh oim_server1
./stopManagedWebLogic.sh oim_server1

#Start SOA Managed Server
cd /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/bin
./startManagedWebLogic.sh soa_server1
./stopManagedWebLogic.sh soa_server1

Enable Design Console
You need to create the "wlfullclient.jar" and get it the proper permissions. This file needs to be copied into "<MW_HOME>/wlserver_10.3/server/lib/" and "<IDM_HOME>/Oracle_IDM1/designconsole/ext/". WebLogic Administration Server and "oim_server1" managed server must be running.

Execute the following commands:
cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/
java -jar /home/oracle/Oracle/Middleware/modules/com.bea.core.jarbuilder_1.7.0.0.jar
chmod 750 wlfullclient.jar
cp wlfullclient.jar /home/oracle/Oracle/Middleware/Oracle_IDM1/designconsole/ext/

To start Design Console:
cd /home/oracle/Oracle/Middleware/Oracle_IDM1/designconsole
./xlclient.sh

Verifying the OIM Installation
Refer to 5.10 Verifying the Oracle Identity Manager Installation in the Installation Guide for Oracle Identity and Access Management documentation.

Configure Oracle Identity Manager 11.1.2.0

Configuring OIM 11.1.2.0
  1. The WebLogic Administration Server must be started. Navigate to "<OIM_DOMAIN_HOME>/bin" and execute "startWebLogic.sh".
     cd /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/bin
    ./startWebLogic.sh
  2. Execute the "config.sh" located in the "<IAM_HOME>/bin/" directory.
     cd /home/oracle/Oracle/Middleware/Oracle_IDM1/bin
    ./config.sh
The screen shots given below will walk you through the process.

Step 1: Welcome


Step 2: Select All Components


Step 3: Enter Database Connection Details


Step 4: WebLogic Admin Server

Step 5 Localhost Error


Step 5


Step 6: OIM Server Host and Port


Step 7: Remote Manager


Step 8: Configuration Summary


Step 9: Configuration Progress


Step 9b


Step 10: Configuration Complete


OIM Configuration Summary One
#Provide the password for the System Administrator(xelsysadm). Valid Passwords must contain at least 6 characters, must begin with an alphabetic character, and include at least one number, one uppercase letter and one lowercase letter. Password cannot contain firstname, lastname and loginname of OIM.

OIM_ADMINISTRATOR_PASSWORD=<SECURE VALUE>

#Confirm the System Administrator(xelsysadm) password.

CONFIRM_OIM_ADMINISTRATOR_PASSWORD=<SECURE VALUE>

#Provide the HTPP Proxy URL. Format: http(s)://hostname:port

PROXY_URL_FOR_OIM=http://rayedchan:14000

#Provide the KeyStore Password. Valid passwords are 6 to 30 characters long, must begin with an alphabetic character, use only alphanumeric, underscore (_), dollar ($) or pound (#) characters and include at least one number.

KEYSTORE_PASSWORD=<SECURE VALUE>

#Confirm the KeyStore Password.

KEYSTORE_CONFIRM_PASSWORD=<SECURE VALUE>

#Provide true to enable LDAP sync. LDAP sync synchronizes Oracle Identity Manager users, roles, role membership and role hierarchy to a LDAP directory. Any direct changes in the directory will be reconciled back to Oracle Identity Manager.

SELECTION_OPTIONS_PAGE_SYNC_LDAP=false

#Provide WebLogic Managed Server hostname in which Oracle Identity Manager application is deployed.

AS_HOST_NAME=localhost

#Provide WebLogic Managed Server port in which Oracle Identity Manager application is deployed.

AS_PORT_NUMBER=14000

#Provide the service name for Remote Manager under which this Remote Manager will be registered. It is used along with Registry URL to build fully qualified service name. For e.g. rmi://host:RMI Registry Port/service name.

RM_SERVICE_NAME=RManager

#Provide the Remote Manager RMI Registry Port. RMI Registry is started on this port.

REMOTEMANAGER_RMI_REGISTRY_PORT=12345

#Provide the Remote Manager Listen Port. A Secure Socket is opened on this port to listen client requests.

REMOTEMANAGER_LISTEN_PORT=12346

[SYSTEM]

[APPLICATIONS]

[RELATIONSHIPS]

#

COMPONENT_OIM_SELECTION_ROOT=true

#Provide true to configure OIM Server.

OIM_SERVER=true

#Provide true to configure OIM Design Console.

INSTALL_OIM_DESIGN_CONSOLE=true

#Provide true to configure OIM Remote Manager.

INSTALL_OIM_REMOTE_MANAGER=true

#

IS_SERVICE_ID_USED_IN_SPECIFYODSPASSWORDPAGE=false



OIM Configuration Summary Two
Configure Only:

Applications Selected For Configuration:

OIM Server

OIM Design Console

OIM Remote Manager

Configure Database Security Store for OIM 11.1.2.0

Configuring Database Security Store for OIM 11.1.2.0
Note: This assumes that you've created a WebLogic domain only for Oracle Identity Manager and SOA. If you have been following my guides throughout, you are fine. If not, refer to the Oracle documentation for the specific scenario you are dealing with (Look at 3.2.9 Configuring Database Security Store for an Oracle Identity and Access Management Domain in Installation Guide for Oracle Identity and Access Management).

You will be using the "configureSecurityStore.py" script to create the Database Security Store. This script can be found under the "<IAM_HOME>/common/tools" directory.

#Execute the following command to create the Database Security Store (This is one command)
#<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create
/home/oracle/Oracle/Middleware/oracle_common/common/bin/wlst.sh /home/oracle/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /home/oracle/Oracle/Middleware/user_projects/domains/base_domain -c IAM -p myPassword -m create

#Execute the following command to validate if the Database Security Store created properly
#<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m validate
/home/oracle/Oracle/Middleware/oracle_common/common/bin/wlst.sh /home/oracle/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /home/oracle/Oracle/Middleware/user_projects/domains/base_domain -m validate
Logs for Create
Initializing WebLogic Scripting Tool (WLST) ...

Jython scans all the jar files it can find at first startup. Depending on the system, this process may take a few minutes to complete, and WLST may not return a prompt right away.

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Info: Data source is: opss-DBDS
Info: DB JDBC driver: oracle.jdbc.OracleDriver
Info: DB JDBC URL: jdbc:oracle:thin:@localhost:1521/orcl

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSetup - done

Jan 5, 2013 8:14:37 PM oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator schemaCompatibleHandler

INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  updateServiceConfiguration - done

Jan 5, 2013 8:14:42 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData

INFO: Migration of Credential Store data in progress.....

Jan 5, 2013 8:14:42 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData

INFO: Migration of Credential Store data completed, Time taken for migration is 00:00:00

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  migrateData - done

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  testJpsService - done

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSetup - done

Jan 5, 2013 8:14:43 PM oracle.security.jps.internal.config.ldap.LdapKeyStoreServiceConfigurator schemaCompatibleHandler

INFO: Keystore schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  updateServiceConfiguration - done

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  migrateData - done

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  testJpsService - done

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSetup - done

Jan 5, 2013 8:14:45 PM oracle.security.jps.internal.config.ldap.LdapPolicyStoreServiceConfigurator schemaCompatibleHandler

INFO: Policy schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  updateServiceConfiguration - done

WLS ManagedService is not up running. Fall back to use system properties for configuration.

Jan 5, 2013 8:14:54 PM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateData

INFO: Migration of Admin Role Members started

Jan 5, 2013 8:14:54 PM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateData

INFO: Migration of Admin Role Members completed in 00:00:00

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  migrateData - done

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  testJpsService - done

[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSetup - done

Jan 5, 2013 8:14:54 PM oracle.security.jps.internal.config.ldap.LdapAuditServiceConfigurator schemaCompatibleHandler

INFO: Audit store schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0

[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely

[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  updateServiceConfiguration - done

Jan 5, 2013 8:14:54 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData

INFO: Migration of Audit Store data in progress.....

Jan 5, 2013 8:15:19 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData

INFO: Migration of Audit Store data completed, Time taken for migration is 00:00:25

[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  migrateData - done

[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  testJpsService - done

persist to output: /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig - done

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSetup - done

[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  updateServiceConfiguration - done

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSetup - done

[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  updateServiceConfiguration - done

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSetup - done

[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  updateServiceConfiguration - done

Jan 5, 2013 8:15:30 PM oracle.security.jps.internal.config.ldap.LdapAuditServiceConfigurator checkIfConfigurationValid

INFO: Audit store re-association not supported.

[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSetup - Audit store re-association not supported.

persist to output: /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig - done

INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.

INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.

Using default context in /home/oracle/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig/jps-config-migration.xml file for credential store.

Credential store location : jdbc:oracle:thin:@localhost:1521/orcl

Credential with map Oracle-IAM-Security-Store-Diagnostics key Test-Cred stored successfully!

Credential for map Oracle-IAM-Security-Store-Diagnostics and key Test-Cred is:

GenericCredential

Info: diagnostic credential created in the credential store.

Info:  Create operation has completed successfully.
Logs for Validate
Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

Info: Data source is: opss-DBDS

INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.

INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.

Info: Diagnostics data was saved to the credential store.

Info: Validate operation has completed successfully.

Creating WebLogic Domain for OIM 11.1.2.0

WebLogic Domain Creation for OIM 11.1.2.0
  1. Execute the "config.sh" script located under "<iam_home>/common/bin/".
    cd /home/oracle/Oracle/Middleware/Oracle_IDM1/common/bin
    ./config.sh

  2. On the "Select Domain Source" which is part of the configuration wizard, select "Oracle Identity Manager - 11.1.2.0.0 [IAM_HOME]". By default the following products are selected when you select "Oracle Identity Manager - 11.1.2.0.0 [IAM_HOME]":
    -Oracle SOA Suite - 11.1.1.1.0 [Oracle_SOA1]
    -Oracle Enterprise Manager 11.1.1.1.0 [oracle_common]
    -Oracle Platform Security Service 11.1.1.0 [IAM_Home]
    -Oracle JRF 11.1.1.0 [oracle_common]
    -Oracle JRF WebServices Asynchronous services - 11.1.1.0 [oracle_common]
    -Oracle WSM Policy Manager 11.1.1.0 [oracle_common]
The screen shots given below will walk you through the process.

Step 1: Create a new WebLogic domain


Step 2: 
Select “Oracle Identity Manager – 11.1.2.0.0 [IAM_HOME]“. By default the following products are selected when you select “Oracle Identity Manager – 11.1.2.0.0 [IAM_HOME]”
-Oracle SOA Suite – 11.1.1.1.0 [Oracle_SOA1]
-Oracle Enterprise Manager 11.1.1.1.0 [oracle_common]
-Oracle Platform Security Service 11.1.1.0 [IAM_Home]
-Oracle JRF 11.1.1.0 [oracle_common]
-Oracle JRF WebServices Asynchronous services – 11.1.1.0 [oracle_common]
-Oracle WSM Policy Manager 11.1.1.0 [oracle_common]


Step 3: Specify Domain Name and Location


Step 4: Configure Administrator Credentials


Step 5: Configure Server Start Mode and JDK


Step 6: Configure JDBC Component Schema


Step 7: Test JDBC Component Schema


Step 8: Select Optional Configuration


Step 9: Configuration Summary


Step 10: Creating Domain


Step 10b