It has been very long time since I wrote anything on this blog. This time I am trying to cover up one of the most painful topics "OAM-OIM-OAAM Integration".
I have tried to take screenshots of the steps that needs to be followed. Most of them are self explanatory but I added text where ever possible.
Note: This is not Oracle's official document. You should refer to the Integration Guide provided by Oracle for production implementation. Also, there is no guarantee that information provided in this blog is error free. Also, few assumptions are made that WLS is installed and configured, required database schemas are created using correct RCU and the domain for OAM/OIM/OAAM has been created. All the three products are part of same domain.
I have tried to take screenshots of the steps that needs to be followed. Most of them are self explanatory but I added text where ever possible.
Note: This is not Oracle's official document. You should refer to the Integration Guide provided by Oracle for production implementation. Also, there is no guarantee that information provided in this blog is error free. Also, few assumptions are made that WLS is installed and configured, required database schemas are created using correct RCU and the domain for OAM/OIM/OAAM has been created. All the three products are part of same domain.
- Before you start your Admin Server or OAM Managed server first time. You have to execute the below mentioned commands related to OPSS security store. OIM has not yet been configured in this domain. The domain was created by selecting OIM product but the required config.sh is not executed till the steps show later.
- This is exception can be ignored.
- We are going to start the integration steps. The first step is the set the required environment variables and execute idmconfigtool with required properties files.
- Create the properties files for each activity. We will be creating properties file for preConfig Identity Store, prepare Identity Store, OAM Configuration for integration and OIM configuration for integration.
- Prepare Identity Store properties file.
- OAM configuration properties file for integration.
- OIM configuration properties file for integration.
- Execute idmconfigtool for preconfig identity store to create required schemas in LDAP server.
- Once schema extension is completed prepare identity store for OAM.
- Once OAM is completed prepare identity store for OIM.
- Now start the config wizard to configure OIM.
- Provide database connection details
- Provide values for keystore and the front ending URL. Also, password for xelsysadm user. Make sure you have selected "Enable LDAP Sync"
- I am using OID LDAP server. Hence, I have provided required parameters for it. If you have any other LDAP server follow appropriate steps per Oracle Documentation on how to enable LDAP Sync.
- Once configuration is completed successfully restart all your servers.
- Configure the properties for POST LDAP Sync execution steps.
- Set required environment variables.
- Update XEL_HOME parameter in the file setEnv.sh.
- Execute the utility LDAPConfigPostSetup.sh
- Now go back to idmconfigtool. Make sure you have required environment variables set. Execute the tool for configuring OAM for integration.
- Make sure you have required environment variables set. Execute the tool for configuring OIM for integration
- Update password of IAMSuiteAgent.
- Update the password of IAMSuite Agent in the WebLogic Console's Provider configuration.
- Modify the SOA Composite configuration to use HTTP Port of reverse proxy web server.
- OAM and OIM integration steps are completed. Now we are starting the OAM-OIM-OAAM integration steps. After creating a new user in OIM if you are unable to login to OAM's protected resource. Make sure that you have correct configuration in the User Identity Store. We will review it later before we try to access a protected resource.
-
- Import the snapshot provided with OAAM. This snapshot will automatically provide required Rules, KBA, etc. related configuration.
- Preparing for OAM and OAAM integration.
- Execute the WLST command to create required Keystore file.
- Execute the highlighted WLST command.
- Copy the CLI directory from Oracle Home of OAAM. Edit the file oaam_cli.properties.
- Set required parameters and execute setupOAMTAPIntegration.sh.
- Configuration is successful restart all your servers.
- Configure Challenge Parameters in OAM console for TAPScheme to include parameter "MatchLDAPAttribute=uid".
- Modify System Properties in OIM to disable Challenge Questions, update the Forgot Password URL etc. in the OIM's Administration console.
- Login to OAAM's Admin Console and modify parameters shown in the screenshots.
- Login to EM Console and navigate to Credential configuration. Add a new Key in the OAAM's MAP. Provide xelsysadm username and password.
- Login to OAM console and update the Load Balancing configuration as per your environment.
- Create a new Authentication Policy to protect a resource with TAP Scheme.
- If you notice the below mentioned error in the logs. It means that you have to manually add one attribute in OID's schema and attach it to an Objectclass in OID.
- Make sure that User Identity Store created by idmconfigtool has correct parameters as shown in the screenshot. User Name Attribute should have value uid.
- Login to OIM Console. Create a new user to test if the configuration is working fine or not.
- Try to access a protected resource with OAAM's Authentication Scheme.
- Provide Username.
- Provide password and you would be redirected to change password page.
- Change the current password. Once it is changed you will be redirected to configure Challenge questions for Forgot Password Scenario.
- Select the Device configuration you would like to use.
- Set required Questions and Answers.
- Authentication has completed and required SSO Cookies are set.
- Now we are testing the forgot password scenario.
- Instead of providing the passoword. Click on Forgot your password URL.
- Answer all questions.
- Finally you land on password change page. Provide new Password and Confirm New password.
- Now you are redirected to the protected resource.
12 comments:
Hey yagnesh,
I have integrated OIMR2-OAMR2 in two separate domains. Now, trying to integrate with oaam.
After completion of integration with oaam, i am not sble to login to http://host-name:port/oaam_server with any user login id.
I am getting the below error.
"Sorry, the identification you entered was not recognized. Please try again"
Also, when I hit OIM login url, I am not getting OAAM authentication page. But for change password and challenge quetions, i am getting oaam authentication page. Even here also, when I try to login, I am getting the same error.
Do I need to make id store as tap scheme. if so, what will happen to ovd id store.
Please help.
I have added couple of more screenshots which should help the issue that you are facing. Also, it is very hard to debug the issue just by description. What are the expections you are seeing in the log files?
Few pointers
1. Make sure mandatory patches are installed as per below doc
http://docs.oracle.com/cd/E27559_01/relnotes.1112/e35820/install.htm#i1099333
2. As mentioned in below doc
http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDFABDD
LDAPAdminUsername should not be located in the user container where customer's user accounts reside. For example: cn=Users,cn=oracleAccounts,dc=mycompany,dc=com. This user should be outside the search scope in order to avoid reconciliation of this user into OIM.
so, take a note of this when setting up LDAP suffix and containers
below doc provides some examples on setting different containers
http://docs.oracle.com/cd/E27559_01/install.1112/e27301/preconfigoid.htm#CHDCEJMD
3. If you are setting up password policies in OAM-OIM integrated env, please review the DocID 1496808.1 and apply required patches
-Sashi
Hi Yagnesh,
Hope u r doing good,
You 've really done a Remarkable job in
compiling such a useful info!
Could u give your thoughts on the following query.
I 've implemented SSO with Oracle EBS R12. As EBS is already integrated with OAM-SSO-OID 11g using Accessgate 11g.
Also using LDAP sync feature I 've integrated OIM with same OID successfully which is already integrated with EBS & OAM.
As I wanna use User provisioning & responsibility assignment via OIM
so Need to Integrate OIM with OAM.
Could you tell how it could be done.
After searching many metalink note and Oracle Docs. like http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/oim.htm
I could NOT find any Solution which is fitting this scanrio. Need Your Expert Advise,...
As to Reemphasize the query.
In Order to integarate OIM with OAM And both the server is already in sync with the Same OID. Irrespective of the authorization information
so how to Integrate them now i mean in this Scenario ?
Also The Mute Point is for each Partner application like EBS (Plz assume as of now this is the Only Partner application)
Do i 've to Install EBS Connectore to get It integrated it with OIM in this Scenario ?
Really Appreciate the Response.
Thanks & Regards
Priya
Just to Correct a point to the above query!
EBS R12 is integrated with OAM-SSO-OID 11g using Webgate !!
Eagerly waiting to hear from you.
Thanks
Priya
Hi Priya,
Thanks.
As per what I understand currently in your case OAM and OIM are not integrated so all the user lifecycle management scenarios such as account lockout, password change etc will not work when you are accessing OAM protected resource.
If you are referring to below document.
http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/oim.htm
Then in that case you will have to start with the section which covers up integration of OAM and OIM as your LDAP server is already prepared if you have executed idmconfigtool with option mode=all.
5.3 Perform Integration Tasks in Oracle Access Manager
Also, you will have to deploy a EBS connector as EBS's source of truth for user information is database. So, flow would be you create a user in OIM, via LDAP sync it will be pushed to OID. You will provision account for same user to EBS.
Hope this answers your question.
Regards,
Yagnesh
Hi,
Thanks for the response.
I am having minimum understanding of Oracle Identity manager. And seeking your Expert
Guidence and suggestions on the following. Greatly Appreciate the help !
I want to enable SSO, Self Service Password Management including Forgot Password
and also User provisioning & responsibility assignment via Identity management.
For that so far I 've integrated EBS with OAM-OID-Webgate 11g or rather implented SSO with EBS. And it's working fine.
After that Installed & configured OIM 11g with SOA and integrated it with OID, with ldap sync!
There are 2 servers One is having EBS R12 and the Other server is having all IDM component. i.e OAM,OID,OIM etc.
installed on it.
Now The User that is created in EBS is getting reflected in OIM also using ldap role create and update full reconciliation schedule job
I 've reconcile EBS-OID users into OIM.
as you pointed out rightly that without EBS connectors the provisioning of EBS Responsibility (entitlements) is not possible via OIM.
in order to Install the EBS Connectors
There are 2 Issues that am struggling with
1. when oam server & webgate managed servers are started or running The oim url i.e http://oracle.com:14000/oim becomes inaccessible
as instead it shows oamconsole url. as then am not able to loggin with xelsysadm user. And if the oam & webgate server are shutdown
than Only it gets accessible. & Works fine. Not sure why (Perhaps it has something to do with httpd.conf and mod_wl_ohs.conf entries )
2. Unable to Integrate OAM with OIM. (As this is turning out to be Herculean task for me)
Thanks!
Priya
I am getting this error in the automation.log when running
idmConfigTool –configOAM input_file=propertiesFile
FINER: Invoking mbean
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAM11gFAProperties
SEVERE: Error while configuring OAM properties
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAM11gFAProperties
FINER: RETURN
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAM11gIdStore
FINER: ENTRY
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOIMIntegration
FINER: Creating mbean connection
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOIMIntegration
FINER: Created mbean connection
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler getFoundationConfigMBean
FINER: ENTRY
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler getFoundationConfigMBean
FINER: RETURN com.oracle.oam:Location=AdminServer,name=OamManagement,type=oam.management,Application=oam_admin,ApplicationVersion=11.1.1.3.0
Sep 12, 2013 12:59:26 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOIMIntegration
FINER: Invoking mbean
Sep 12, 2013 12:59:27 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAMPartner
SEVERE: Error while configuring User ID Store {1}
Sep 12, 2013 12:59:27 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOAMIntegration
FINER: mbean invocation success.
Sep 12, 2013 12:59:27 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler configOIMIntegration()
FINER: RETURN
Sep 12, 2013 12:59:27 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler createDumpParams
FINE: OAM11gIntegrationHandler : createDumpParams()
Sep 12, 2013 12:59:27 AM oracle.idm.automation.impl.oam.handlers.OAM11gIntegrationHandler execute
Please see the contents of the propetriesFile
WLSHOST: idm.oracle.com
WLSPORT: 7001
WLSADMIN: weblogic
IDSTORE_HOST: idm.oracle.com
IDSTORE_PORT: 3060
IDSTORE_DIRECTORYTYPE:OID
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_USERSEARCHBASE: cn=Users,dc=oracle,dc=com
IDSTORE_SEARCHBASE: dc=oracle,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oracle,dc=com
IDSTORE_OAMSOFTWAREUSER: oamadmin
IDSTORE_OAMADMINUSER: oamadmin
PRIMARY_OAM_SERVERS: idm.oracle.com:5575
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: prdr12_agent
COOKIE_DOMAIN: .idm.oracle.com
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
OAM_TRANSFER_MODE: OPEN
OAM11G_SSO_ONLY_FLAG: true
OAM11G_OIM_INTEGRATION_REQ: true
OAM11G_OIM_OHS_URL:http://idm.oracle.com:7777/ebsauth_prdr12/ssologin
COOKIE_EXPIRY_INTERVAL: 120
~
Could you please suggest what am missing here and in the entire processes.
Thanks
Priya
hi Priya,
Did you find a solution? I've the same problem.. Any help is appreciated!
Thanks
Gianni
Hi Priya/Giovanni,
The issue is with the configuration file. It seems that some of the parameters are not configured correctly causing the User Identity Store creation to fail.
Priya, in your case if you look at this screenshot the parameter IDSTORE_LOGINATTRIBUTE, IDSTORE_SYSTEMIDBASE... etc are missing.
http://3.bp.blogspot.com/--CuaiLO6quw/UT8Ts9VF9kI/AAAAAAAAGJw/IzJtMBBYWFk/s1600/12.jpg
Regards,
Yagnesh
Hi yagnesh,
I have integrated OAM-OIM-OAAM 11gr2ps2. Just have a doubt, in your steps,
you have used two ohsinstances listening on 7777 and 7778.
What i understood is 7778 is the instance front ending OAM OIM.
Do i need to migrate the /oim /identity and all url protection in oam console under IAMSuiteAgent Domain to the application domain of 7777 ohs instance or its not needed.
Thanks,
Sunil Dani
You don't need to migrate it. Your WebGate instance should have preferred host configuration should have value IAMSuiteAgent to point to IAMSuite Application Domain.
Post a Comment