OAM - OAAM 11g R2 PS2 (11.1.2.2.0) Advanced integration

-
This post covers the integration between OAM OAAM 11g R2 PS2 (11.1.2.2.0) .


Create a oaam admin user for administration






















                                                                                                                                                                
                                                                                                                                                               
Login to OAAM Admin Application on http://host:14200/oaam_admin (14200 default port) 


Load oaam_base_snapshot.zip 



























Restore the snapshot

Import oaam_policies.zip by going to Policies->Import Policies
Path of policies file = C:\Oracle\Middleware\Oracle_IDM1\oaam\init\oaam_policies.zip

OAM Configuration

Create a Default User Identity Store












                                                                                                                                                                  
                                                                                                                                                                
                                                                                                                                                                
                                                                                                                                                                  

Create a directory where you will store the Keystore file.










 

 








Run Register Third Party Partner Utility.







































registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks" , password="password", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://deepak-pc.mydomain.com:14300/oaam_server/oamLoginPage.jsp")


Update TAPScheme in OAM Console







Update the IAMSuiteAgent's profile and set Access Client Password


















                                                                                                                                                                 
                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                  
Update IAMSuiteAgent provider in WebLogic Security Realms with the same password






                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                  
Below step is optional 

Create a key in /em console for OAAM





                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                       

                                                                                                                                                           
Copy OAAM_HOME/oaam/cli to a Temporary location

Update C:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
with relevant values

Sample Data




#Overriding properties for oaam_cli

#Following properties are relevant when CSF is accessed using MBeans (usually in command-line/J2SE programs).
#Note: This is the preferred way of running OAAM command-line to avoid CSF related file dependencies (which are usually on the Weblogic Admin Server).
#If neither the oaam.adminserver.type property nor the APP_SERVER_TYPE environment variable are set, OAAM command line will prompt the user for application server type.  To run OAAM command line for WebLogic deployment, set oaam.adminserver.type to wls, set the APP_SERVER_TYPE to weblogic, or select WebLogic when prompted.  To run OAAM command line for WebSphere deployment, set oaam.adminserver.type to was, set the APP_SERVER_TYPE to websphere, or select WebSphere when prompted.
#In a Windows environment, if the APP_SERVER_TYPE environment variable is not set, then the OAAM command line will prompt the user for application server type even if oaam.adminserver.type is set in this file.
#Make sure for weblogic deployment weblogic jmx jars (wljmxclient.jar, wlclient.jar) and JPS jars (jps-api.jar, jps-common.jar, jps-internal.jar) are in classpath
oaam.csf.useMBeans=true
oaam.adminserver.type=wls
#oaam.adminserver.type=was
oaam.adminserver.protocol=t3
oaam.adminserver.hostname=localhost
oaam.adminserver.port=7001

#Set this properties if OAAM command-line is running in websphere deployment
oaam.was.client.sasPropFile=

#Set this property with the fully qualified path of jps-config-jse.xml when non-MBeans way of accessing CSF.
#Usually it resides in config/fmwconfig folder of the domain folder.
#Specify this path only if 'oaam.csf.useMBeans=false' and the OAAM command-line runs on Weblogic Admin Server host where OAAM is deployed. 
oaam.jps.config.filepath=

#Set this property to true, if OAAM DB userName, password from CSF have to be used instead of persistence.xml. Make sure to set the 'oaam.db.*' properties.
oaam.db.toplink.useCredentialsFromCSF=true

#Following properties are used (instead of persistence.xml) to initialize Toplink when 'oaam.db.toplink.useCredentialsFromCSF=true'
#Specify valid JDBC URL of OAAM database. For oracle databases the format is: jdbc:oracle:thin:@<hostname>:<port>:<sid>
oaam.db.url=jdbc:oracle:thin:@localhost:1521:orcl
#In case of non-oracle databases, change this to the relevant driver class name
oaam.db.driver=oracle.jdbc.driver.OracleDriver
oaam.db.min.read-connections=1
oaam.db.max.read-connections=25
oaam.db.min.write-connections=1
oaam.db.max.write-connections=25
#Specify the filepath of any additional properties that need to be used while initializing Toplink
oaam.db.additional.properties.file=



#Following properties are relevant only for OAAM - OAM Integration.
#Location of the Keystorefile generated using registerThirdPartyDAPPartner WLST command on OAM Admin server. For example /rootdir/keystoreloc/oamoaamtap.jks
oaam.uio.oam.tap.keystoreFile=C:\\Oracle\\Middleware\\keystore\\TAP_OAAM_OAM\\TAPkeystore.jks
oaam.uio.oam.tap.keystoreType=JCEKS
oaam.uio.oam.tap.partnername=OAAMTAPPartner
oaam.uio.oam.tap.username.maxlength=40

#Access Server host machine name. For example, host.oracle.com
oaam.uio.oam.host=deepak-pc.mydomain.com
#Access Server Authentication Port (NAP Port); Default port :  5575
oaam.uio.oam.port=5575
#Webgate Prefered host identifier. Default value is IAMSuiteAgent
oaam.uio.oam.webgate_id=IAMSuiteAgent
#Name of the secondary Access Server host machine. This property is used for high availability. You can specify the fail-over hostname using this property.
oaam.uio.oam.secondary.host=
#Port number of the secondary Access Server. This property is used for high availability. You can specify the fail-over port using this property.
oaam.uio.oam.secondary.host.port=
#Security Mode - 1 (OPEN), 2 (SIMPLE), 3 (CERT)
oaam.uio.oam.security.mode=1
#Location of the Keystorefile generated for root certificate. Requires for SIMPLE (2) / CERT (2) Security mode. For multiple host OAAM Server installation make sure the file exists there in all the host in the mentioned location
oam.uio.oam.rootcertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks
#Location of the Keystore file generated for private key certificate. Requires for SIMPLE (2) / CERT (2) Security mode. For multiple host OAAM Server installation make sure the file exists there in all the host in the mentioned location
oam.uio.oam.privatekeycertificate.keystore.filepath=C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain\\output\\webgate-ssl\\oamclient-truststore.jks

#This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF.
oaam.oam.csf.credentials.enabled=true





Run setupOAMTapIntegration (Sample Output for reference)






C:\TEMP\cli>setupOAMTapIntegration.cmd c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
"Using COMMON_COMPONENTS_HOME as c:\Oracle\Middleware , set in COMMON_COMPONENTS_HOME in environment to override."
"Using JRF_VERSION_PROP as  , set in JRF_VERSION_PROP in environment to override."
"Enter Application Server Type, please select one of the following choices between [1-2]:"
"1: Weblogic Application Server"
"2: Websphere Application Server"
Enter Application Server Type: 1
Enter Weblogic Server Home Directory  for e,g c:\Oracle\Middleware\wlserver_10.3
C:\Oracle\Middleware\wlserver_10.3
c:\Java\jdk1.6.0_45\bin\java  "-Dcommon.components.home=" "-Djrf.version=" -Djava.security.policy=conf\jmx.policy -classpath .;.\conf;C:\TEMP\cli\lib\
commons-codec-1.2.jar;C:\TEMP\cli\lib\drools-base-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-core-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-io-2.0-beta-21.ja
r;C:\TEMP\cli\lib\drools-java-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-jsr94-2.0-beta-21.jar;C:\TEMP\cli\lib\drools-smf-2.0-beta-21.jar;C:\TEMP\cli\lib\
janino-2.0.16.jar;C:\TEMP\cli\lib\jsr94.jar;C:\TEMP\cli\lib\oaam_core.jar;C:\TEMP\cli\lib\oaam_uio.jar;c:\Oracle\Middleware\oracle_common\modules\orac
le.jps_11.1.1\jps-manifest.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-api.jar;c:\Oracle\Middleware\oracle_common\modules\ora
cle.jps_11.1.1\jps-common.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-internal.jar;c:\Oracle\Middleware\oracle_common\modules
\oracle.iau_11.1.1\fmw_audit.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jdbc_11.1.1\ojdbc6dms.jar;c:\Oracle\Middleware\oracle_common\module
s\oracle.idm_11.1.1\identitystore.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;c:\Oracle\Middleware\oracle_common
\modules\oracle.pki_11.1.1\oraclepki.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jacc-spi.jar;c:\Oracle\Middleware\oracle_common\
modules\oracle.dms_11.1.1\dms.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.odl_11.1.1\ojdl.jar;c:\Oracle\Middleware\oracle_common\oui\jlib\xm
lparserv2.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.0.0.0_2-1-12.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.0.0.0_2-1-12.jar;c:\Ora
cle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-rt.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-ee.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-se.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-platform.jar;c:\Oracle
\Middleware\oracle_common\modules\oracle.jps_11.1.1\jps-az-management.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.igf_11.1.1\identitydirecto
ry.jar;c:\Oracle\Middleware\oracle_common\modules\oracle.ldap_11.1.1\ldapjclnt11.jar;C:\Oracle\Middleware\wlserver_10.3\server\lib\wlclient.jar;C:\Ora
cle\Middleware\wlserver_10.3\server\lib\wljmxclient.jar;c:\Oracle\Middleware\modules\com.bea.core.apache.commons.collections_3.2.0.jar;c:\Oracle\Middl
eware\modules\com.bea.core.antlr_2.7.7.jar;c:\Oracle\Middleware\modules\javax.servlet_1.0.0.0_2-5.jar;c:\Oracle\Middleware\oracle_common\modules\oracl
e.toplink_11.1.1\eclipselink.jar;c:\Oracle\Middleware\modules\com.oracle.toplink_1.1.0.0_11-1-1-6-0.jar;c:\Oracle\Middleware\modules\javax.persistence
_1.1.0.0_2-0.jar;c:\Oracle\Middleware\modules\glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar;c:\Oracle\Middleware\modules\glassfish.jaxb_1.1.0.0_2-1-14.jar  or
acle.oaam.integration.asa.IntegrationUtil setupOAMTapIntegration readfromfile=c:\TEMP\cli\conf\bharosa_properties\oaam_cli.properties
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using passed in properties...
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using MBeans on Weblogic...
30/04/2014 2:52:56 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredentialsFromConsole()
Enter OAAM AdminServer User Name: weblogic
30/04/2014 2:53:12 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredentialsFromConsole()

Enter OAAM AdminServer Password:
DB Credentials are found in CSF store, do you want to overwrite it?
Enter 'Yes' to give new DB credentials and overwrite in CSF store:
Yes
Enter OAAM DB User name and press Enter key :
DEV_OAAM
Enter OAAM DB User password and press Enter key :


30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addPasswordCredentialToCSF()
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addCredential() with passed in properties...
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.addCredential(): using MBeans on Weblogic...
Added Password Credential to CSF with MapName [oaam], KeyName [oaam_db_key]
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using passed in properties...
30/04/2014 2:53:59 PM oracle.oaam.common.util.CSFUtil
INFO: CSFUtil.getCredential(): using MBeans on Weblogic...

Enter OAM TAP Key store file password and press Enter key :

30/04/2014 2:54:12 PM com.bharosa.common.util.UserDefEnumFactory
INFO: Creating new instance of UserDefEnumFactory
30/04/2014 2:54:12 PM com.bharosa.common.util.UserDefEnumFactory


Responses given








1
C:\Oracle\Middleware\wlserver_10.3
weblogic
password1
Yes
DEV_OAAM
password
password












                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                  
Login to OAM Console and change the Authentication Scheme to TAPScheme for webgate11g_1 Application Domain

Update webgate11g_1 Application Domain to use TAPScheme in its Authentication Policy Protected Resource Policy











                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                  
Try to access the protected resource on web server instance1.






                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                  
User is redirected to OAAM Server for authentication









Enter Password







Setup Knowledge based Authentication









Register Device Image

































Set your Security Question and Answers













                                                                                                                                                                                                                                                                                
                                                                                                                                                       
Login Successful






                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                 

                                                                                                                                                                  
Next Time you Login you will be asked password and one random question as security challenge

























Comments

Post a Comment

Popular posts from this blog

OIM 11g Custom ADF Application Development

-
Image
In this post , I will cover the steps required to create a custom ADF web application. What this application does is facilitate Account Claim Process. Users has been migrated from some other IAM product to OIM and exist in disabled state and hence cannot login to perform Self Service operations. User needs to identify themselves by providing their personal details like personal identification number, zip code and dob etc. After successfully Identifying themselves they will be able to set a new password and set their challenge questions and answers. During this process the application will activate their account and set the new password and QnA. At the end of the process, they will be able to login OIM with their new password set. The application has been developed using JDeveloper using ADF technology to render user interfaces and MVC design pattern to keep the concerns separate. Application Structure                                                                                  
Read more

Oracle Identity Manager (OIM) Interview Questions

-
This is my 100th post on my blog and in this post, I will list down interview questions on OIM. This post will always be work in progress as I keep appending this list with more and more questions. Please find the list of questions below :-) What are the new features in PS3 ? What are the differences between PS2 and PS3 ? How do you identify rogue account creation in target system ? What is the high level architecture of OIM 11g ? List out difference between OIM 9.1 and 11g and possibly 11gR2 What are the new features in 11gR2 PS2 , PS3 How do you save multi-valued attribute in process form and how the linking happens between process form & child form ,   1 child form per multi valued attribute Can we still use entity adapters in OIM 11g What is pluginservice in oim 11g/  What is the orchestration service in oim 11g. what is the difference between entity match found  and process match found ? what are service accounts in oim ? why remote manager is used ? What is a c
Read more

OIM 11g R2 PS2 : SOA Approval Workflow Sample

-
Image
In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-noti
Read more