Fusion Applications bare metal provisioning series Part IV: Performing IdM Post-Provisioning Configuration

Posted on by Posted in Fusion Applications, Identity and Access Management Tagged , , Leave a comment

There are couple of manual steps required after IdM provisioning is complete in order to get your IdM fully and correctly configured. These are mostly related to some things which could not fit into automatic provisioning process as well as various bugs that exist in the 11.1.7 version.

CORRECTING DATASOURCE CONFIGURATION

Due to Bugs 17075699 and 17076033 in Identity Management Provisioning, you must make changes to the following datasources:

  • EDNLocalTxDataSource-rcn
  • mds-oim-rcn
  • mds-owsm-rcn
  • mds-soa-rcn
  • oamDS-rcn
  • oimJMSStoreDS-rcn
  • OraSDPMDataSource-rcn
  • SOALocalTxDataSource-racn

To make the changes, proceed as follows:

  1. Log in to the WebLogic Administration Console
  2. Click Lock & Edit.
  3. Navigate to Services -> Data Sources.
  4. Click on the data source to be updated, for example, EDNLocalTxDataSource-rcn
  5. Click the Transaction tab.
  6. Deselect Supports Global Transactions.
  7. Click Save.
  8. Repeat Steps 4 through 7 for all the listed datasources.
  9. Click Activate Changes.

Screen Shot 2014-07-02 at 22.25.30 pm

 

UPDATE OHS SERVER PARAMETERS  

For Idm deployments, the default values of Oracle HTTP server must be adjusted as follows:

  1. Edit the file httpd.conf, which is located in /u01/app/oracle/local/instances/ohs1/config/OHS/ohs1 (please note that this is a directory $ORACLE_INSTANCE_HOME we’ve chosen during provisioning of IdM, so it might differ in your environment).
  2. Update the values in <IfModule mpm_worker_module> section as below:

<IfModule mpm_worker_module>
ServerLimit 20
MaxClients 1000
MinSpareThreads 200
MaxSpareThreads 800
ThreadsPerChild 50
MaxRequestsPerChild 10000
AcceptMutex fcntl
</IfModule>

 CREATE ODSM CONNECTIONS TO OVD

Before you can manage Oracle Virtual Directory you must create connections from ODSM to each of your Oracle Virtual Directory instances. To do this, proceed as follows:

  1. Open ODSM in your browser. By default it will run under 7005 port, so the URL is http://<yourIDMhostname&gt;.<yourIDMdomain>:7005/odsm
  2. Create a direct connection to Oracle Virtual Directory providing your host and port information in ODSM (please note that SSL needs to be checked and default port during provisioning is 8899):

Screen Shot 2014-07-02 at 22.44.23 pm

 

Enter the common IdM password you’ve chosen during IdM provisioning. You should be able to login and see the page like this:

Screen Shot 2014-07-02 at 22.47.24 pm

 

ADD ORACLE IDENTITY MANAGER PROPERTY

As a workaround for a bug in the Identity Management Provisioning tools (Bug 16667037), you must add an Oracle Identity Manager property. Perform the following steps:

  1. Log in to the WebLogic Console
  2. Navigate to Environment -> Servers.
  3. Click Lock and Edit.
  4. Click on the server WLS_OIM1.
  5. Click on the Server Start subtab
  6. Add the following to the Arguments field: -Djava.net.preferIPv4Stack=true
  7. Click Save.
  8. Click Activate Changes.
  9. Restart the managed server WLS_OIM1

Screen Shot 2014-07-02 at 22.55.08 pm

UPDATE WEBGATE CONFIGURATION

To update the maximum number of WebGate connections, proceed as follows:

  1. Login to the Oracle Access Manager Console and select the System Configuration tab (note you have to use oamadmin user for login)
  2. Select Access Manager -> SSO Agents -> OAM Agent from the directory tree. Double-click or select the Open Folder icon.
  3. On the displayed search page, click Search to perform an empty search.
  4. Click the Agent Webgate_IDM.
  5. Select Open from the Actions menu.
  6. Set Maximum Number of Connections to 20
  7. Set AAA Timeout Threshold to 5.
  8. In the User Defined Parameters box, set client_request_retry_attempts to 11.
  9. If the following Logout URLs are not listed, add them:
  • /oamsso/logout.html
  • /console/jsp/common/logout.jsp
  • /em/targetauth/emaslogout.jsp

Click Apply.Screen Shot 2014-07-02 at 23.08.21 pm

CREATE OAM POLICIES FOR WEBGATE 11G

In order to allow WebGate 11g to display the credential collector, you must add /oam to the list of public policies. Proceed as follows:

  1. Log in to the OAM console
  2. Select the Policy Configuration tab.
  3. Expand Application Domains – IAM Suite
  4. Click Resources.
  5. Click Open.
  6. Click New resource.
  7. Provide the following values:
  • Type: HTTP
  • Description: OAM Credential Collector
  • Host Identifier: IAMSuiteAgent
  • Resource URL: /oam
  • Protection Level: Unprotected
  • Authentication Policy: Public Policy

Click Apply.

Screen Shot 2014-07-02 at 23.13.29 pm

 

PASSING CONFIGURATION PARAMETERS FILE TO FUSION APPLICATIONS

There is a properties file called idmsetup.properties that gets created and appended each time something is changed in IdM configuration. The file is required for further Fusion Applications provisioning during provisioning plan creation. Basically what happens is that all IdM related information is taken from that file and autofilled in Fusion Apps provisioning plan. Therefore it is necessary to transfer the file to Fusion Applications node. You can locate the file in $ORACLE_CONFIG_HOME. In our case it is /u01/app/oracle/config/fa. Once this has been done – we are ready for further steps in FA provisioning process that will be covered in next series of blog posts.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s