Professional Documents
Culture Documents
:
:
www.oraclefusion4all.com
oraclefusion4all@gmail.com
+91 7757044929
or
info@ora
*************************************************************
Timing : 7 AM IST - 8.30 AM IST, 6 days a week, only Monday (US :EST - 9.30 PM 11 PM EST) total duration - 55+ hours, 40-45 classes
OIM Dev : 5.30 AM IST to 7 AM IST schedule ?
Infra : H/W - 12-16GB RAM, i3 2nd Gen, HDD - 50-60 GB
L/RHEL 5.8 - 4 recorded sessions, Support
Course Agenda :
Approach - bottom up.
Pre-req : https://www.youtube.com/watch?v=sbVIEQgrU2k
Note : For learning purpose use same password - Oracle123
1) Installation
OIM/OAM 11.1.2.2
#Certification Matrix - bible fo
r installation of FMW Products - "oim 11.1.2.2 certification matrix" or "oam 11
.1.2.2 certification matrix"
1. DB 11.2.0.1
A) Install
#xhost +
#su - oracle
$cd /stage/database
./runInstaller
B) Create the DB
$dbca
#Tune the DB
C) Create Listener
$netca
D) Tune the DB #Tuning - OIM/OAM
4 parameters
1. open_cursors :
2. processes
:
3. sessions
05
1000
1000
:
Processes+? = 11
Middleware Home
/d01/Weblogic/FMW/wlserver_10.3 = WLS_HOME
:
Mechanis
Swing ba
Legacy A
:
:
:
s :
=> Identity Gove
rnance Suite : OIM, OIA-30%, OPAM+OIN
=> Access Manage
ment Suite :
#LDAP Servers
=> DB Security -
DBA
=> Cloud Securit
y - SOA 12c - OWSM Policy Manager
A.
xhost +
su - weblogic
cd /stage/soa11.1.1.7/Disk1
./runInstaller
/stage/jdk1.6.0_35/
Oracle_SOA1
Oracle BPEL PM, Mediator, Rules, B2B, Human Workflow
Oracle Business Activity Monitoring (BAM)
Oracle Enterprise Manager
Apply 11 interim patches on top of SOA for OIM.
Where the 11 patches? : cd /stage/iamSuite_11.1.2.2/Disk
1
ls
OIM_11.1
.2.2_SOAPS6_PREREQS.zip
mkdir -p
/stage/SOA_INTERIM_PATCHES
unzip -d
/stage/SOA_INTERIM_PATCHES OIM_11.1.2.2_SOAPS6_PREREQS.zip
cd /stag
e/SOA_INTERIM_PATCHES/SOAPATCH
How we apply the patches? :
cd /stag
e/SOA_INTERIM_PATCHES/SOAPATCH
export O
RACLE_HOME=/d01/Weblogic/FMW/Oracle_SOA1/
export P
ATH=$ORACLE_HOME/OPatch:$PATH
opatch l
sinventory
opatch n
apply
opatch l
sinventory
#soaSuite 11.1.1
xhost +
su - weblogic
cd /stage/ohs11.1.1.6/Disk1
./runInstaller
Oracle_WT1
Oracle Process Manager Notification (OPMN)
Oracle HTTP Server (OHS)
Oracle Web Cache
8. OAM OHS Webgate 11.1.2.2
xhost +
su - weblogic
cd /stage/webgate_ohs_11.1.2.2/Disk1/
./runInstaller
/stage/jdk1.6.0_35/
Oracle_OAMWebGate11gR2
OAM OHS webgate
9. OUD 11.1.2.2
(OID-{Replication Topology},[ODS-DB Schema], ODS
EE-{Larger User Base}[ApplicationServer], OVD)
OUD- Standalone J2EE app, {Repli
cation Topology},{1 billion user enteries}, Create virtual profiles(feature of O
VD).
xhost +
su - weblogic
cd /stage/OUD_11.1.2/Disk1/
./runInstaller
/stage/jdk1.6.0_35/
Node 2)
===========
2) Configuration & Integration pre-req : DB + Listener to be up and running.
A) Configure OID/OVD and ODSM(J2ee App, Application Server)
#xhost +
su - weblogic
cd /d01/Weblogic/FMW/Oracle_IDM1/bin
./config.sh
1) Create a domain
oid_ovd_instance1 and IDMDomain(AdminServer, wls_ods1[ODSM])
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=oid,
dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oi
d,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oi
d,dc=com
export
export
export
export
export
MW_HOME=/d01/Weblogic/FMW/
JAVA_HOME=/stage/jdk1.6.0_35
PATH=$JAVA_HOME/bin:$PATH
ORACLE_HOME=/d01/Weblogic/FMW/Oracle_IAM1
IDM_HOME=/d01/Weblogic/FMW/Oracle_IDM1
cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
./idmConfigTool.sh -preConfigIDStore input_file=
/stage/scripts/extend.props
2) Create OIM Specific user/group schema in OID
#xelsysadm/Oracle123
cd /stage/scripts_apps/
vi oim.props
IDSTORE_HOST : idm.oraclefusion4
all.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,
dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Grou
ps,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=co
m
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemi
ds,dc=oid,dc=com
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdminis
trators
cd /d01/Weblogic/FMW/Oracle_IAM1/idmtool
s/bin
./idmConfigTool.sh -prepareIDStore mode=
OIM input_file=/stage/scripts_apps/oim.props
AD,OUD, ODSEE)
ile.rsp
IDSTORE_HOST : idm.oraclefusion4
all.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users
,dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Grou
ps,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=co
m
IDSTORE_SYSTEMIDBASE: cn=systemi
ds,dc=oid,dc=com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADM
IN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
cd /d01/Weblogic/FMW/Oracle_IAM1
/idmtools/bin
./idmConfigTool.sh -prepareIDSto
re mode=OAM input_file=/stage/scripts/preconfigOAMPropertyFile.rsp
Checkpoint : OID(OUD, AD, ODSEE) can be integrated with OIM and OAM.
C) OVD - create adapter and understand OVD business context.
Checkpoint : OID via OVD(optional) can be integrated with OIM and OAM.
==
C) Create IAMDomain (AdminServer, oim_server1, soa_server1, oam_server1)
#xhost +
su - weblogic
cd /d01/Weblogic/FMW/oracle_common/common/bin
./config.sh
=> Create a new domain
=> OIM, OAM
Imp Note : You must not start AdminServer, soa_server1,
oam_server1 at this point of time.
Observation : AdminServer,soa_server1 ===>OPSS(nothing)=
> servers will fail.
#specific to 11.
#xhost +
su - weblogic
cd /d01/Weblogic/FMW/oracle_common/common/bin/
./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/con
figureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c
IAM -m create -p <OPSS Schema Password>
validate :
./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/con
figureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c
IAM -m validate
Observation : AdminServer,soa_server1 ===>OPSS(Internal
Audit Store, Credential Store)=> servers startup will succeed.
Note : now you can start AdminServer, soa_server1 in seq
uential order.
Note : optionally in order to start the AS or MS in back
ground, proactively create boot.properties file.
cd /d01/Weblogic/FMW/user_projects/domai
ns/IAMDomain
mkdir
mkdir
mkdir
mkdir
-p
-p
-p
-p
servers/AdminServer/security
servers/oim_server1/security
servers/oam_server1/security
servers/soa_server1/security
cd /d01/Weblogic/FMW/user_projects/domai
ns/IAMDomain/servers/AdminServer/security
vi boot.properties
username=weblogic
password=Oracle123
cp boot.properties ../../oim_server1/sec
urity/
cp boot.properties ../../oam_server1/sec
urity/
cp boot.properties ../../soa_server1/sec
urity/
Server life cycle : http://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/o
verview_lifecycle.html
F) Start AdminServer, soa_server1
ycle.
cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/bin
nohup ./startWebLogic.sh &
tail -f nohup.out
nohup ./startManagedWebLogic.sh soa_server1 &
tail -f nohup.out
G) Configure OIM
#LDAPSync
http://idm.oraclefusion4all.com:14000/sysadmin
3. Design Console
#only 'System Administrator' wil
l have access to it and mainly developers use this.
#xhost +
su - weblogic
===
One time activity
cd /d01/Weblogic/FMW/wlserver_10
.3/server/lib
export JAVA_HOME=/stage/jdk1.6.0
_35/
export PATH=$JAVA_HOME/bin:$PATH
java -jar wljarbuilder.jar
cp wlfullclient.jar /d01/Weblogi
c/FMW/Oracle_IAM1/designconsole/ext/
===
cd /d01/Weblogic/FMW/Oracle_IAM1/designconsole/
./xlclient.sh
SOA
1. SOA-INFRA
http://idm.oraclefusion4all.com:8001/soa-infra/
weblogic/Oracle123
2. BPM Worklist app
http://idm.oraclefusion4all.com:8001/integration
/worklistapp
weblogic/Oracle123
3. SOA Composer
cted Application Instances
#Disconnected Resources/Disconne
http://idm.oraclefusion4all.com:8001/soa/compose
r
weblogic/Oracle123
http://idm.oraclefusion4all.com:7001/em
http://idm.oraclefusion4all.com:7001/console
B) LDAP Sync :
<= OAM
ctory Server'
C) Connector Bundle : 31+ Applications Connectors
D) Install Connector - OUD -> LDAP(OID-11.1.1.6.0)
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
1. Copy the connector bundle to Connector Default Direct
ory
copy "OID-11.1.1.6.0" folder to
/d01/Weblogic/FMW/Oracle_IAM1/server/ConnectorDefaultDirectory
:
:
:
:
:
:
idm.oraclefusion4all.com
1389
cn=Directory Manager
Oracle123
dc=trusted,dc=com
2000
ure Access.
/d01/Weblogic/FMW/asinst_2
Hostname
port
Admin
password
Base DN
Users
:
:
:
:
:
:
idm.oraclefusion4all.com
2389
cn=Directory Manager
Oracle123
dc=target,dc=com
0
"dc=trusted,dc=com"
Configuration Lookup
Lookup.LDAP.OUD.Configuration.Trusted
:
Oracle123
failover
host
:
idm.oraclefusion4all.com
1389
cn=Directory Manager
false
port
principal
ssl
2. TargetAppITResource
baseContexts
:
"dc=target,dc=com"
Configuration Lookup
Lookup.LDAP.OUD.Configuration
:
Oracle123
failover
:
host
:
idm.oraclefusion4all.com
2389
cn=Directory Manager
false
port
principal
ssl
G) Trusted Reconciliation
Pre-req : Connector for trusted app must be installed and IT Resource to
Connect to the trusted application must be there.
HRMS - Create, Modify(Horizontal/vertica
l) and Delete
2 Jobs :
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
Scheduler => *Trusted*
ce)
TResource)
H) Provisioning Configuration
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
1. Create Sandbox
#Sandboxes allow
you to isolate and experiment with customizations without affecting other users
environments.
2. Create Application Instance (Specific to each target
application- its a collection of IT Resource[Connection Object to target applic
ation] and Resource Object[LDAP User, AD User - specific to Connector])
3. Using the Form Designer create object form and reflec
t it in Application Instance.
4. Publish the sandbox
5. Lookup Configuration and verification
Scheduler => LDAP Connector OU Lookup Re
conciliation(TargetAppITResource)
1. Direct/Manual Provisioning
Use case : On Ad-hoc basis provision the user to
target application. Only users part of System Administrators role can do this.
2. Auto or Criteria based Provisioning
Use Case : User Provisioning to Email Server
Use Case : Based on Any user attribute, provisio
n the user to the target application.
e.g. Any User having org = finance and Country =
US then provision the user to target application.
Steps :
http://idm.oraclefusion4all.com:
14000/oim
xelsysadm/Oracle123
1. Create a Role
2. Create Membership Rule on top of the Role
http://idm.oraclefusion4all.com:14000/sy
sadmin
xelsysadm/Oracle123
Access Policies =>
3. Create Access Policy (Role[s] + Resource[s])
4. if needed run Scheduled Job - "Evaluate User
Policies"
Observe life cycle.
Requester
Beneficiary
Catalog Item
Beneficiary's Management Line
Operational Level Management Line
6. Route Slip[weblogic]
SOA Level : 2 workflow
A) Request Level WF : Beneficiar
y's Management Line
B) Operational Level WF : Operat
ional Level Management Line
Note : OIM Developer(SOA) will p
rovide the SOA Composites(RL, OL) Jars.
Deploy the 2 composites/jars(RL, OL)
http://idm.oraclefusion4all.com:7001/em
weblogic/Oracle123
soa-infra - deploy
OIM Level :
http://idm.oraclefusion4all.com:
14000/sysadmin
xelsysadm/Oracle123
Approval Policies
licy
visioning
Use Case : For critical resources before auto pr
ovisioning happens make approval mandatory.
A) Modify the access policy(Role+Resource+With A
pproval = Yes)
B) Create 2 set of Approval Policies based on re
quest type - "Access Policy Based Application Instance Provisioning"
Life Cycle :
5. Proxy :
=> If Approver User is on leave, he/she
can set someone else as Approver User.
=> Proxy can not set another user as pro
xy for the set duration.
=> Multiple proxies are allowed without
any conflict in date.
rces
itable
Server Room Biometric Access Card
-> Management Approval
-> Operational Approval
-> Fulfilment Approval and hando
ver.
http://idm.oraclefusion4all.com:14000/sy
sadmin/
xelsysadm/Oracle123
A) Create Sandbox
B) Create Disconnected Application Insta
nce
C) Extend the Form with User and Device
Specific Tags.
D) Publish the sandbox.
Note : If Discon
nected App inst doesnot reflect in Catalog run the Catalog Sync Job.
Note: optionally
modify the approval policies.
E) Using SOA Composer modify the Fulfilm
ent User/Role based on business need.
http://idm.oraclefusion4
all.com:8001/soa/composer
weblogic/Oracle123
Open Task => Open Discon
nectedProvisioning Rule.
Life Cycle
7. Bulk Load
=> Users, Account Data, Roles, R
ole Membership, Role Hierarchy, Role Categories.
=> .csv file or DB table.
cd /d01/Weblogic/FMW/Oracle_IAM1
/server/db/oim/oracle/Utilities/oimbulkload
cd scripts/
./oim_blkld.sh
export JAVA_HOME=/stage/jdk1.6.0
_35/
export PATH=$JAVA_HOME/bin:$PATH
/u01/app/oracle/product/11.2.0/d
bhome_1/
//idm.oraclefusion4all.com:1521/
IDMDB11g
8. Entitlement Configuration
=> What is Role to the OIM, entitlement
is to the target application.
=> A group(s) on target application, is
nothing but entitlement in OIM.
=> Responsibilities(Ebiz) are also entit
lement.
=> Entitlements are always associated wi
th Application Instance.
====
This step is for learning purpose :
cd /stage/scripts
vi OUD_TargetEntitlement.ldif
dn: cn=Groups,dc=target,dc=com
cn: Groups
objectClass: top
objectClass: orclContainer
dn: cn=Accounts Payable Administrator,cn
=Groups,dc=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
dn: cn=Accounts Payable User,cn=Groups,d
c=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
dn: cn=BI Publisher Users,cn=Groups,dc=t
arget,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
dn: cn=San Francisco Users,cn=Groups,dc=
target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
Step 2. Create groups in OUD, using LDIF file
cd /d01/Weblogic/FMW/asinst_2/OUD/bin
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
./ldapmodify -a -h idm.oraclefusion4all.com -p 2389 -D "
cn=Directory Manager" -q -f /stage/scripts/OUD_TargetEntitlement.ldif
===
Populate(create/modify/delete) the entitlements
in OIM specific to target application :
http://idm.oraclefusion4all.com:14000/sy
sadmin
xelsysadm/Oracle123
Scheduler => "*Group Lookup Reconciliati
on"(Provide IT Resource)
1. LDAP Connector Group Lookup Reconcili
ation(TargetAppITResource)
1.1. Entitlement List
1.1. Entitlement Assignments
2. Entitlement Post Delete Processing Jo
b
9.
OIM 9i
http://idm.oracl
efusion4all.com:14000/sysadmin
xelsysadm/Oracle
123
Attestation Conf
iguration => Create Attestation Process
(User Scope, Res
ource Scope[Resource Objects & Roles], Schedule,Reviewer, Process Owner)
Life Cycle = ?
===
To kickstart : h
ttp://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
Scheduler => Initiate Attestation Processes
===
2. Certification - OIA, 11.1.2 =
No certification, 11.1.2.1 = Certification, 11.1.2.2 = Enhanced Certification
=> How to enable
Certification ?
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
System Configuration => "Display Certification or Attestation"
Value = Certification or Attestation or Both
Restart the OIM Server and observe the certification features(enabled) in OIM Co
nsoles.
=> Certification
Features :
A) Set R
isk Level , certifier user For all catalog items.
B) Set c
ertifier user at organization level.
B1) Risk
Configuration & Certification Configuration are used in Certification Definitio
n.
C) Certi
fication Definition => Scheduled Job => Invoke the certification Process Soa Com
posite.
D) Certi
fication Configuration
= #Bug
F) Offli
10.
Diagnostic Dashboard
deploy the Application :
cd /d01/Weblogic/FMW/Oracle_IAM1
/server/webapp/optional
ls
XIMDD.ear
http://idm.oraclefusion4all.com:
7001/console
weblogic/Oracle123
Deployments => XIMDD.ear (As an
application, targeting towards AdminServer,oim_server1,soa_server1).
http://idm.oraclefusion4all.com:
14000/XIMDD
xelsysadm/Oracle123
11. Target/Account Reconciliation
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
Scheduler => *User Search*
conciliation
tion
ed on target app.
zations.
14. Organizational Security : ?
15. OIM Auditing and reporting
http://docs.oracle.com/cd/E27559_01/admi
n.1112/e27149/audit.htm#OMADM3017
A) OIM Auditing Works = http://docs.orac
le.com/cd/E27559_01/admin.1112/e27149/img/component.gif
B) OIM Audit Level = What level of audit
data need to be captured.
http://idm.oraclefusion4all.com:14000/sy
sadmin/
xelsysadm/Oracle123
System Configuration => "User profile au
dit data collection level"
Value : Process Task
6. Process Task: Audits the enti
re user profile snapshot together with the resource lifecycle process.
5. Resource Form: Audits user re
cord, role membership, resource provisioned, and any form data associated to the
resource.
4. Resource: Audits the user rec
ord, role membership, and resource provisioning.
3. Membership: Only audits the u
ser record and role membership.
2. Core: Only audits the user re
cord.
1. None: No audit is stored.
#templates
copy the templates zip f
ile to BI Node.
scp oim_product_BIP11gRe
ports_11_1_2_2_0.zip weblogic@bi:/tmp/OIMReportTemplates
On BI Publisher Node :
cd /tmp/OIMReportTemplat
es
ls
oim_product_BIP11gReport
s_11_1_2_2_0.zip
http://bi.raje.com:9704/
xmlpserver/
weblogic/Oracle123
Catalog => Shared Folder
=> There are no OIM reports
1. Populate the reports
A) unzip the rep
orts zip file to /d01/weblogic/FMW/user_projects/domains/bifoundation_domain/con
fig/bipublisher/repository/Reports/
unzip -d /d01/we
blogic/FMW/user_projects/domains/bifoundation_domain/config/bipublisher/reposito
ry/Reports/ /tmp/OIMReportTemplates/oim_product_BIP11gReports_11_1_2_2_0.zip
B) in BI Console
:
http://b
i.raje.com:9704/xmlpserver
weblogic
/Oracle123
Administ
ration > Server Configuration
Verify => BI Publisher repository
: /d01/weblogic/FMW/user_project
s/domains/bifoundation_domain/config/bipublisher/repository
Click on => "Upload to BI Presentation Catalog"
2. Populate data in the
reports
http://b
i.raje.com:9704/xmlpserver
weblogic
/Oracle123
Administ
ration => JDBC Connection
Add Data Source
1. OIM JDBC
2. BPEL JDBC
:
:
DEV_OIM
DEV_SOAINFRA