Installing and Configuring Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)

Installing and configuring the latest version of Oracle Identity and Access Management 11g components involves the following steps:

• Obtaining the Oracle Fusion Middleware Software
• Database Requirements
• Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)
• WebLogic Server and Middleware Home Requirements
• ** Installing Oracle SOA Suite (Oracle Identity Manager Users Only)
• Starting the Oracle Identity and Access Management Installer
• Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)
• Configuring Oracle Identity and Access Management (11.1.2.2.0) Products
• Upgrading OPSS Schema using Patch Set Assistant
• Configuring Database Security Store for an Oracle Identity and Access Management Domain
• Configuring Oracle Identity Manager Server, Design Console, and Remote Manager
• Starting the Servers

Note: ** If you are installing Oracle Identity Manager, you must install Oracle SOA Suite 11g Release 1 (11.1.1.7.0). Note that only Oracle Identity Manager requires Oracle SOA Suite. This step is required because Oracle Identity Manager uses process workflows in Oracle SOA Suite to manage request approvals.

Enjoy :-)

Identifying Installation Directories

The common directories names used while installing OAM/OIM include the following:

• Oracle Middleware Home Location
• Oracle Home Directory
• Oracle Common Directory
• Oracle WebLogic Domain Directory
• WebLogic Server Directory

Locating Installation Log Files

• The Installer writes log files to the ORACLE_INVENTORY_LOCATION/logs directory on UNIX systems and to the ORACLE_INVENTORY_LOCATION\logs directory on Windows systems.
• On UNIX systems, if you do not know the location of your Oracle Inventory directory, you can find it in the ORACLE_HOME/oraInst.loc file.
• On Microsoft Windows systems, the default location for the inventory directory is C:\Program Files\Oracle\Inventory\logs.

Enjoy :-)

WebLogic server Error: Could not obtain an exclusive lock for directory.

Steps to make your  OAM Admin Server Start:

1.  Shutdown the Admin Server.
2.  Delete the lok file from <domain-home>/servers/<server-name>/tmp/.

      AdminServer.lok
3.  Now start the Admin Server.
4.  If the server still fails to start then we need to kill the the process which    is still running on the server 

      using following commands.

ps -ef | grep 'weblogic'

kill -9 PID

4.    Now start again the Admin Server.

Weblogic Server Error: "unable to get file lock, will retry ..."

<BEA-141281> <unable to get file lock, will retry ...> 

In case you see above error while starting the Weblogic Admin Server, do the following:

1. Remove the AdminServer.lok file from <MW_Home>\user_projects\domins\base_domain\servers\AdminServer\tmp
2. Manually start the weblogic form <MW_HOME>\user_projects\domains\base_domain\server\bin

Enjoy :-)

Configuring OAM11G R2PS2 for Impersonation Module (Integrated Mode)

Enabling Impersonation Module:

This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5

1)     Registering Impersonation Module

·         We need to register the impersonation module at Global level and so that other sites can configure it at their end.

·         Go to the Global site level, open Modules

·         Go to “Configure Native Module” (see at the top right corner)

·         Click Register.
                                     

o   Provide a name -> “OAMImpersonation” & path to the IISImpersonationModule.dll (present in webgate install directory).

o   Press OK

o   As you can see the Module is added to the list.

o   But beware don’t add this module at Global Level. We only need to register it here & we will be adding this per site level.

2)     Adding Impersonation Module at Site Level:

           ·         Go to your site -> Open Modules

      ·         Configure Native Module:

                                              

          ·         The moment we add the module, web.config of the site gets updated.

Extract from it:

Note: The above configuration is valid for the site running in Integrated Mode.

         ·         Thus now we have configured the IISImpersonationModule.dll with our site.

         ·         Restart the IIS Server.

         ·         Now we need to do some configuration at OAM Console end.

·         Open OAM Console ->

     1)      Adding Response Header in Authorization Policy

·         Go to Application Domain -> Open WebGate Profile -> Authorization Policy -> Protected Policy

Note- It is not mandate to use ‘Protected Policy’, we are using because we have explicitly not specified the Policy.

·         Open Responses Tab (in authorization policy) & add a new response field.

Note: The header field name should be “IMPERSONATE” and value “$user.userid”.

·         Add the Response Header & Apply the changes.

·         Now at User defined parameter in Webgate Profile:

MSImpersonationCredential=clk:Welcome1

Remember: This user defined parameter contains username & password, this should be an admin user. Because an admin user has the rights to perform impersonation.

·         Apply the changes.

3)     Performing Impersonation:

       1)      Deploy the ASP.NET application in your created site.

       2)      Impersonation feature is activated.

       3)      Now we will access the resource /WebApp/default.aspx. <we have created a sample app>

o   Provide login credentials – try using some other user login rather than using admin login.

o   Before you sign in to the system, Open Event Viewer -> Under Windows Logs -> Click Security

o   Now do the login, after user authn & authz checks, user is provided the resource access.

Note: This is a sample app created.

·         Now to check whether user is impersonated or not.

For this we check the system security event logs, to see that user ‘test’ is impersonated by the admin user ‘clk’.

As we have already opened the event log viewer, now see we have an entry ‘Credential Validation’ entry log.

It shows that system is authenticating the user with credentials of the admin user ‘clk’ that we have provided in the user defined parameters.

o   Now Click ‘Log on’ event log above the ‘Credential Validation’ Log. It shows that the system has authenticated the user with ‘clk’. Thus it proves that user ‘test’ has logged in to the system with the credentials of ‘clk’ thus it is impersonated.

Configure Logout URL for Webgate 10g in OAM11G Server

Let's configure logout url for Webgate 10g interacting with OAM11G server:

To let the user logout properly in Webgate 10g, it is required to do a little bit of configuration so as to have a centralized logout.

The complete URL that needs to be triggered have 2 parts - URL + QueryString
 Syntax: hostname:port?end_url=<redirect_url>

Steps to do:

1) Configure logout url on OAM11g server Webgate Profile:

 

2) Now you need to check that logout.html page exists in your Webgate Install Dir:
    a) Go to <Webgate Inst Dir>/access/oamsso/ directory
    b) Check if logout.html page is present. If not than copy the logout.html page here.
        b.1) You can get this page from the directory where your 10g webgate artifacts are generated.

3) Make sure you have the "/oamsso" entry check in your httpd.conf file.
    a) Goto your Web server instance directory -> <Webserver instance dir>/config/OHS/ohs1
    b) Open httpd.conf file
    c) Check the entry for 'oamsso'.

       It should look like:

       #*******Default Login page alias***
      <LocationMatch "/oamsso/*">
      Satisfy any
      </LocationMatch>

4) Now you are good to go. But remember your "end_url" is the redirect URL where you want to redirect once you are logout.

5) Cool, now access the resource. Hit the logout URL having end_url in querystring.

6) Once your are logout properly, you will see the success page.

7) To be sure shot, now again access the resource. You will be challenged for credentials again.


For more info: References
http://docs.oracle.com/cd/E17904_01/doc.1111/e15478/webgate.htm#CACBFHDC


Enjoy... :-)

Deploy OAM11g R2PS2 Webgate on IIS7.5 Windows 2008

Installing Webgate On IIS7.5 Windows Server 2008R2 

This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5

1)      Download the Webgate 11g R2PS2 for Windows.

2)      Extract the webgate.zip.

3)      Go to Disk1 folder present under webgate folder.

4)      Copy the path & open command prompt.

a.       Change your directory to the path copied above.

5)      Now execute the setup.exe followed by jre location

                  o   It will start the installation process.

6)      Now follow the steps:

  o   Press Next

       ·         Skip Software Updates

       ·         Perquisite Checks – Proceed Next

       ·         Installation Location: Provide the installation directory location.

       

         ·        Installation Summary: Proceed Next to start the Installation

       

         ·         Installation Started:

              

   

         ·         Installation Completed:

So we are done with the Webgate Installation... Now let's proceed to Configuration Phase.. :-)

Configure Webgate with IIS7.5 

1)      Go to the Webgate Home Directory ->

a.       It is the location where we have install the webgate.

 For Eg: Our WG Home Location

C:\oracle\product\11.1.1\as_3

b.      Go to the deployWebgate folder present under

C:\oracle\product\11.1.1\as_3\webgate\iis\tools\deployWebGate

c.       Execute deployWebGateInstance.bat script

You can see the arguments passed to the script (self-explanatory)

d.      Now we need to execute ConfigureIISWebGate.bat present under

C:\oracle\product\11.1.1\as_3\webgate\iis\tools\ConfigureIISConf

e.      Your site is now mapped with the webgate. To show this mapping. Go to your webgate home location -> lib folder -> open webgate.ini

            ·         Now we need to add artifacts to the webgate instance dir (config folder).

            ·         Restart the IIS Server.

Guys we are done with the Webgate deployment on Windows Server 2008 R2 on IIS7.5 Web Server....!!!!!


Enjoy :-)