OAM EDG Training

  • Upload
    cheenu

  • View
    151

  • Download
    0

Embed Size (px)

DESCRIPTION

Oracle Access Manager, EDG, training

Citation preview

  • Oracle Access Manager 11g R2: Advanced Administration 4 - 1

    Schedule: Timing Topic

    minutes Lecture

    minutes Practice

    minutes Total

  • Oracle Access Manager 11g R2: Advanced Administration 4 - 2

    Using Action Verbs for Objectives

    In the slide, use the introductory phrase After completing this lesson, you should be able to followed by a colon. Use action verbs to introduce each bulleted objective. Your choice of

    action verb depends on the content of the lesson:

    If the content is designed to cover facts and terms, use such verbs as identify, choose,

    select, match, label, list, and so on.

    If the content is designed to teach a concept, use such verbs as identify, choose, select,

    indicate, match, classify, and so on.

    If the content is about application of knowledge or execution of a procedure or process,

    use such verbs as use, run, create, modify, construct, drop, and so on.

    For detailed and high-level content, use such verbs as conclude, analyze, separate,

    compare, contrast, justify, differentiate, perform, and so on.

  • Oracle Identity and Access Management has two main functions - user provisioning and

    access management. The Enterprise Deployment Guide is a solution to implementing Oracle

    Identity and Access Management in an enterprise and has the following features:

    Main Components Deployed: Oracle Access Manager Access Manager (OAM), Oracle

    Access Manager Oracle Identity Manager (OIM), Oracle Access Manager Authorization

    Policy Manager (APM)

    Support for different Identity Stores including: Oracle Internet Directory, Oracle Unified

    Directory, and Oracle Virtual Directory. Oracle Virtual Directory can be used to support

    third party directories or to provide multi-directory support.

    All components are Highly Available.

    SSL is terminated at the load balancer.

    OAM and OIM are deployed into different domains to separate administrative tasks from

    operational tasks.

    Directories will are deployed into independent domains, this allows directories to be

    patched independently of Oracle Access Management components. This removes the

    need to ensure that products are certified with infrastructure components from a different

    product set, this makes patching easier. It is also likely that enterprises will already have

    an enterprise identity store (LDAP), which can be reused.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • If you are using load balancers to frontend the Identity Management environment, you must

    configure virtual servers and associated ports on the load balancer for different types of

    network traffic and monitoring. These virtual servers should be configured to the appropriate

    real hosts and ports for the services running. Also, the load balancer should be configured to

    monitor the real host and ports for availability so that the traffic to these is stopped as soon as

    possible when a service is down. This ensures that incoming traffic on a given virtual host is

    not directed to an unavailable service in the other tiers.

    Fusion Applications: Install and Configure Identity Management 2 - 4

  • The directory tier provides the LDAP services. The directory tier stores identity information

    about users and groups. This tier includes products such as Oracle Internet Directory, Oracle

    Unified Directory, and Oracle Virtual Directory. The directory tier is closely tied with the data

    tier.

    In some cases, the directory tier and data tier might be managed by the same group of

    administrators. In many enterprises, however, database administrators own the data tier while

    directory administrators own the directory tier.

    The directory components such as Oracle Unified Directory, Oracle Internet Directory and

    Oracle Virtual Directory are installed on LDAPHOSTs. LDAP requests are distributed among

    these servers using a hardware load balancer.

    If you store the Identity details in a directory other than Oracle Internet Directory or Oracle

    Unified Directory, you can use either

    Oracle Virtual Directory to present that information or

    Oracle Directory Integration Platform to synchronize the users and groups from the other

    directory to Oracle Internet Directory.

    If you are using Oracle Internet Directory exclusively, you do not need to use Oracle Virtual

    Directory or Oracle Unified Directory.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Directory Tier (continued)

    If you store your identity information in Oracle Unified Directory, this information is stored locally

    in a Berkeley database. To ensure high availability, this information is replicated to other Oracle

    Unified Directory instances using Oracle Unified Directory replication.

    Typically protected by firewalls, applications above the directory tier access LDAP services

    through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and

    636 for the SSL port. LDAP services are often used for white pages lookup by clients such as

    email clients in the intranet. The ports 389 and 636 on the load balancer are typically redirected

    to the non-privileged ports used by the individual directory instances.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The application tier is where Java EE applications are deployed. Products such as Oracle

    Identity Manager, Oracle Directory Integration Platform, Oracle Directory Services Manager

    and Oracle Enterprise Manager Fusion Middleware Control are the key Java EE components

    that are deployed in this tier. Applications in this tier benefit from the High Availability support

    of Oracle WebLogic Server.

    OAM Server, Oracle Adaptive Access Manager, Oracle Identity Manager, and SOA, can be

    run in active-active mode; these servers communicate with the data tier at run time.

    The WebLogic Administration Server is a singleton component and can be deployed in an

    active-passive configuration. If the primary fails or the Administration Server on one host

    does not start, the Administration Server on the secondary host can be started. If a WebLogic

    managed server fails, the node manager running on that host attempts to restart it.

    The Identity Management application tier applications interact with directory tier as follows:

    They leverage the directory tier for enterprise identity information.

    They leverage the database tier for application metadata.

    WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in

    the application tier as well. However, for the enterprise deployment shown, customers

    have a separate web tier relying on web servers such as Oracle HTTP Server.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The HTTP Servers are deployed in the web tier. Most of the Identity Management

    components can function without the web tier, but to support enterprise-level single sign-on by

    using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is

    required.

    Components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle

    Directory Services Manager can function without a web tier. They can also be configured to

    use a web tier, if desired.

    In the web tier:

    Oracle HTTP Server, WebGate (an Oracle Access Manager component), and the

    mod_wl_ohs module are installed. The mod_wl_ohs module enables requests to be

    proxied from Oracle HTTP Server to a WebLogic Server that is running in the

    application tier.

    WebGate in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate

    with Oracle Access Manager. WebGate and Oracle Access Manager are used to

    perform operations such as user authentication.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • These are the typical hardware requirements. For each tier, carefully consider the load,

    throughput, response time and other requirements to plan the actual capacity required. The

    number of nodes, CPUs, and memory required can vary for each tier based on the

    deployment profile.Production requirements may vary depending on applications and the

    number of users. For detailed requirements, or for requirements for other platforms, see the

    Oracle Fusion Middleware Installation Guide for that platform.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Configuring virtual servers (IP addresses and host names) on physical machines enables you

    to efficiently move the services from one configured environment to another.

    A virtual IP address is an unused IP Address, which belongs to the same subnet as the host's

    primary IP address. It is assigned to a host manually and Oracle WebLogic Managed servers

    are configured to listen on this IP Address. In the event of the failure of the node where the IP

    address is assigned, the IP address is assigned to another node in the same subnet, so that

    the new node can take responsibility for running the managed servers assigned to it.

    You must configure several virtual servers and associate ports on the load balancer for

    different types of network traffic and monitoring. These virtual servers should be configured to

    the appropriate real hosts and ports for the services running. Also, the load balancer should

    be configured to monitor the real host and ports for availability so that the traffic to these is

    stopped as soon as possible when a service is down. This ensures that incoming traffic on a

    given virtual host is not directed to an unavailable service in the other tiers.

    Ensure that the virtual server names are associated with IP addresses and are part of your

    DNS. The computers on which Oracle Fusion Middleware is running must be able to resolve

    these virtual server names.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Several virtual servers and associated ports must be configured on the load balancer for

    different types of network traffic and monitoring. These should be configured to the

    appropriate real hosts and ports for the services running. Also, the load balancer should be

    configured to monitor the real host and ports for availability so that the traffic to these is

    stopped as soon as possible when a service is down. This ensures that incoming traffic on a

    given virtual host is not directed to an unavailable service in the other tiers.

    There are two load balancer devices in the recommended topologies.

    One load balancer is set up for external HTTP traffic and

    The other load balancer is set up for internal LDAP traffic

    You may choose to have a single load balancer device due to a variety of reasons. While this

    is supported, you should consider the security implications of doing this and if found

    appropriate, open up the relevant firewall ports to allow traffic across the various DMZs. It is

    worth noting that in either case, it is highly recommended to deploy a given load balancer

    device in fault tolerant mode.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Configuring the Load Balancers (continued)

    The procedures for configuring a load balancer differ, depending on the specific type of load

    balancer. Refer to the vendor supplied documentation for actual steps. The following steps

    outline the general configuration flow:

    Create a pool of servers. This pool contains a list of servers and the ports that are included

    in the load balancing definition. For example, for load balancing between the web hosts

    you create a pool of servers which would direct requests to WEBHOSTs on port 7777.

    Create rules to determine whether or not a given host and service is available and assign

    it to the pool of servers described above.

    Create a Virtual Server on the load balancer. This is the address and port that receives

    requests used by the application. For example, to load balance Web Tier requests you

    would create a virtual host for sso.mycompany.com:80.

    If your load balancer supports it, specify whether or not the virtual server is available

    internally, externally or both. Ensure that internal addresses are only resolvable from

    inside the network.

    Configure SSL Termination, if applicable, for the virtual server.

    Tune the time out settings. This includes time to detect whether a service is down.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • It is important to set up your file system in a way that makes the enterprise deployment easier

    to understand, configure, and manage. Use this as a reference to help understand the

    directory variables used in the installation and configuration procedures. Other directory

    layouts are possible and supported, but the model adopted here is chosen for maximum

    availability, providing both the best isolation of components and symmetry in the configuration

    and facilitating backup and disaster recovery.

    Oracle Fusion Middleware 11g enables you to configure multiple component instances from a

    single binary installation. This allows you to install binaries in a single location on a shared

    storage and reuse this installation for the servers in different nodes.

    When an ORACLE_HOME (product binary location) or a WL_HOME (WebLogic binary

    location) is shared by multiple servers in different nodes, keep the Oracle Inventory and

    Middleware home lists in those nodes updated for consistency in the installations and

    application of patches. To update the oraInventory in a node and attach an installation in a

    shared storage to it, use ORACLE_HOME/oui/bin/attachHome.sh. To update the Middleware

    home list to add or remove a WL_HOME, edit the file beahomelist located in a directory called

    bea in the users home directory, for example: /home/oracle/bea/beahomelist.

    You can mount shared storage either exclusively or shared. If you mount it exclusively, it will

    be mounted to only one host at a time. (This is typically used for active/passive failover).

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • Oracle recommends also separating the domain directory used by the WebLogic

    Administration Server from the domain directory used by managed servers. This allows a

    symmetric configuration for the domain directories used by managed servers and isolates the

    failover of the Administration Server. The domain directory for the Administration Server must

    reside in shared storage to allow failover to another node with the same configuration. The

    managed servers' domain directories can reside in local or shared storage.

    It is recommended to place managed server directories onto local storage. Placing managed

    server directories in shared storage can have adverse performance impact. The configuration

    steps provided in this Enterprise Deployment Topology assume that a local domain directory

    for each node is used for each managed server.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The slide depicts the folder structure for Web Tier and Directory Tier using two different

    machines. In the classroom environment you may see that the two tiers are configured in a

    single machine and the MW_HOME (/u01/app/oracle/product/fmw) for all the tiers is the

    same. The individual product binaries (ORACLE_HOME) such as web, idm, and oud are

    under MW_HOME.

    Similarly, in a single machine environment, the instance root is common to all the system

    components. The ORACLE_INSTANCEs ohs1, oud1, oid1, and ovd1 are configured within

    /u01/app/oracle/admin folder.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The slide shows the folder hierarchy of Application Tier, with split domain where OAM and

    OIM components are configured in separate domain and on different machines. Notice that

    the AdminServer and Managed Servers of the same domain are also separated, to enable

    easy porting of servers, and also to enable locating AdminServers and JMS Tlogs in shared

    storage while locating Managed Servers in local storage.

    Oracle Access Manager 11g R2: Advanced Administration 4 -

  • The installation procedure consists of these steps:

    Install the database binaries and create one (OIDDB) database

    Configure second (OIMDB) database using DBCA

    Create ODS schema in OIDDB

    Create OAM, OIM, and SOA schema in OIMDB

    Install Web Tier

    Install JRockit JDK

    Install WebLogic Server

    Install OID and OVD (from Oracle Identity Management Suite)

    Install SOA

    Install OAM and OIM (from Oracle Identity and Access Management Suite)

    Apply necessary patches to the installed components

    Fusion Applications: Install and Configure Identity Management 3 - 17

  • Although it is possible to combine the installation and configuration operations of some of the

    Identity Management components, it is recommended to separate installation and

    configurations into distinct operations for easier management, patching, and for implementing

    high availability.

    Install the database components.

    Install the Oracle Web Tier component.

    Install Oracle WebLogic Server. In 64-bit environments, you should install the 64-bit JDK

    before installing Oracle WebLogic Server. When you install Oracle WebLogic Server,

    you also create a Middleware home. All the subsequent components are installed in the

    same Middleware home.

    Note that even though Oracle Entitlement Server (OES) is used in authorization management,

    you do not need to install and configure OES separately as with other identity and access

    management components. This is because Fusion Applications provisioning process includes

    the installation and configuration of OES.

    Fusion Applications: Install and Configure Identity Management 4 - 18

  • To see all certified databases or to check if your database is certified, refer to the "Certified

    Databases" section in the Certification Document at:

    http://www.oracle.com/technetwork/middleware/ias/downloads/fusion

    -certification-100350.html

    The database that is used to store the metadata repository should be highly available. For

    maximum availability, you are recommended to use Oracle Real Application Clusters (RAC)

    databases.

    Ideally the database should use Oracle Automatic Storage Management (ASM) for storage of

    data. However, this is not mandatory or essential. If you set up ASM, ASM should be installed

    into its own Oracle home and have two disk groups:

    One for the database files

    One for the Flash Recovery Area

    Fusion Applications: Install and Configure Identity Management 3 - 19

  • You can set the database initialization parameters after you have created the database, but

    before creating OID related schema in the database.

    Fusion Applications: Install and Configure Identity Management 3 - 20

  • You can set the database initialization parameters after you have created the database, but

    before creating related schema in the database. If you plan to setup separate databases for

    OAM and OIM schema, then each database should have the same initialization parameters, except open_cursors parameter. The open_cursor parameter can be 800 in each

    database.

    Fusion Applications: Install and Configure Identity Management 3 - 21

  • If you are using a RAC database, you need to run RCU from only one instance of the RAC

    database.

    If your topology requires more than one database, the following important considerations

    apply:

    Be sure to install the correct schemas in the correct database.

    You might have to run the RCU more than once to create all the schemas for a given

    topology.

    Fusion Applications: Install and Configure Identity Management 3 - 22

  • Before configuring the Oracle HTTP Server in a machine, you should have already installed

    the Oracle Web Tier in the machine.

    Ensure that port you intend to use for OHS instance is not in use by any other component. In

    the practice we intend to configure Oracle HTTP Server on port 7777, you must ensure that

    port 7777 is not used by any other service on the nodes.

    To check if this port is in use, run the following command before installing Oracle HTTP

    Server. You must free the port if it is in use.

    netstat -an | grep 7777

    Create a file containing the ports used by Oracle HTTP Server. You can use the staticports.ini

    file provided in the Web Tier installation media (on Disk1 of the installation media, under

    /stage/Response/ folder) to set up OHS and OPMN for OHS instance in specific folders.

    In the practice for this lesson, you use the starticports.ini file to assign your selected

    port to the OHS components that you configure. This will help you to make sure that there are

    no port conflicts when you need to fail the OHS components over to another machine.

    Use the Configuration Assistant from WEB_ORACLE_HOME for configuring the OHS instance.

    Note that the Web Tier Configuration Wizard is different from the Fusion Middleware Domain

    Configuration Wizard.

    Fusion Applications: Install and Configure Identity Management 5 - 23

  • Before starting to implement your Identity Management topology, you must determine whether

    to create a single domain topology or split domain topology.

    For a single domain topology, create one WebLogic domain, often referred to as

    IDMDomain.

    For a split domain topology, you must create two domains. Specifically:

    - A domain for most components, including directories, the HTTP server, Oracle

    Access Manager, Fusion Middleware Control, and WebLogic console. This is

    called IDMDomain.

    - A domain for Oracle Identity Manager components, including OIM managed

    servers and separate WebLogic console and Fusion Middleware Control. This is

    called OIMDomain.

    In the practice, you create a single domain topology and configure all the Java components to

    run in IDMDomain.

    Fusion Applications: Install and Configure Identity Management 5 - 24

  • Run the Domain Configuration Wizard from the Oracle Common home directory to create a

    domain that contains only the WebLogic Administration Server. The Administration Server

    runs the Fusion Middleware Control and the WLS Administration Console.

    Later you extend this domain to configure managed servers in clusters for other Identity

    Management components.

    You should disable host name verification because you may not have configured the server

    certificates. You will receive errors when managing the different WebLogic Servers with host

    name verification enabled and certificates not configured. To avoid these errors, disable host

    name verification while setting up and validating the topology, and enable it again after your

    Identity Management topology configuration is complete.

    In your environment, Oracle WebLogic Server may be fronted by multiple OHS that are in turn

    fronted by a load balancer. The load balancer usually performs SSL translation. For the

    internal loopback URLs to be generated with the https prefix, Oracle WebLogic Server must

    be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in.

    Fusion Applications: Install and Configure Identity Management 5 - 25

  • If you intend to separate your identity and policy information, you must create two highly

    available instances of directory. These instances can coexist on the same nodes or can exist

    on separate nodes. The data, however, must be stored in two separate databases.

    Fusion Applications: Install and Configure Identity Management 5 - 26

  • If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes,

    the OID Monitor on the node that is behind stops all servers on its node. To correct this

    problem, synchronize the time on the node that is behind in time. The OID Monitor

    automatically detects the change in the system time and starts the Oracle Internet Directory

    servers on its node.

    Fusion Applications: Install and Configure Identity Management 5 - 27

  • The WLS Domain Configuration Wizard (config.sh) is available in

    MW_HOME/oracle_common/common/bin.

    After configuring OAM in the WLS domain, by default, the IAM Suite Agent provides single

    sign-on capability for administration consoles. In enterprise deployments, WebGate handles

    single sign-on, so you must remove the IAM Suite Agent.

    Log in to the WebLogic console by using the URL: http://admin:7001/console

    Select Security Realms from the Domain Structure menu and click myrealm.

    Click the Providers tab, and then click Lock & Edit from the Change Center.

    From the list of authentication providers, select IAMSuiteAgent and click Delete.

    Click Yes to confirm the deletion.

    Click Activate Changes from the Change Center.

    Restart WebLogic Administration Server and all managed servers.

    Fusion Applications: Install and Configure Identity Management 5 - 28

  • To configure OAM to work with OHS, edit the OHS configuration file and add the OAM-related

    configuration.

    SetHandler weblogic-handler

    WebLogicCluster :,:

    SetHandler weblogic-handler

    WebLogicCluster :,:

    To enable access to the OAM Administration console, add the following lines also to the OHS

    configuration file. Note that OAM console also runs within WLS Admin Server.

    SetHandler weblogic-handler

    WebLogicHost ADMINVHN

    WebLogicPort 7001

    To configure OAM with SIMPLE security mode, use an external LDAP, and to create an external

    WebGate, create an OAM property file, and using that file as input, run idmConfigTool in

    configOAM mode.

    Validate the OAM configuration as follows:

    Access the OAM console at: http://adminhost:7001/oamconsole. Log in as the Oracle Access Manager Admin User (oamadmin with password: Welcome1).

    Click the System Configuration tab, and expand Access Manager Settings > SSO Agents

    > OAM Agents.

    Click the open folder icon, and then click Search. You should see the WebGate agent

    Webgate_IDM.

    Update the new WebGate agent.

    Click the Webgate_IDM agent in the result of the previous search step.

    Select Open from the Actions menu and update the following information:

    - Deny if not Protected: Deselect.

    - Set Max Connections to 4 for all the Oracle Access Manager servers listed in the

    primary servers list.

    Click Apply.

    Click the Policy Configuration tab and double-click IAMSuiteAgent in Host Identifiers. Click

    + in the Operations box.

    Enter the following information:

    - Host Name: adminhost.example.com

    - Port: 7777

    Click Apply.

    Fusion Applications: Install and Configure Identity Management 5 - 29

  • Fusion Applications: Install and Configure Identity Management 5 - 30

  • Oracle Access Manager 11g R2: Advanced Administration 4 - 31

    Summary

    A summary list appears at the end of each course, unit, module, and lesson. You can format

    the summary slide in two ways. For example, you can summarize the lesson or unit in a short

    paragraph, or you can simply restate the objectives. Whichever format you choose, use it

    consistently for every lesson and unit in your course.

    If you decide to simply restate the objectives, try not to repeat them verbatim. Use the

    following guidelines for the bulleted list:

    Begin the summary list with this introduction: In this lesson, you should have learned how to:

    Under this introduction, create list items that are sentence fragments beginning with

    imperative (action) verbs. Do not use end punctuation.

    If the summary covers only one topic, incorporate that topic in the In this lesson sentence. Do not create a one-bullet list. For example:

    In this lesson, you should have learned how to define a parameter. [Note the end

    punctuation.]

    not

    In this lesson, you should have learned how to:

    - Define a parameter