Oracle Identity & Access Management 11.1.2.2 - 100% practical.

Intro : Rajesh, www.oraclefusin4all.com

*************************************************************
Contact Details :
--------------Visit Us
Email Us
clefusion4all.com
Call Us

:
:

www.oraclefusion4all.com
oraclefusion4all@gmail.com

+91 7757044929

or

info@ora

*************************************************************
Timing : 7 AM IST - 8.30 AM IST, 6 days a week, only Monday (US :EST - 9.30 PM 11 PM EST) total duration - 55+ hours, 40-45 classes
OIM Dev : 5.30 AM IST to 7 AM IST schedule ?
Infra : H/W - 12-16GB RAM, i3 2nd Gen, HDD - 50-60 GB
L/RHEL 5.8 - 4 recorded sessions, Support

=> VirtualBox Image - OE

2 users : oracle, weblogic

/d01
:
/u01
:
/stage :

all IDM products

only DB
All products

Course Agenda :
Approach - bottom up.
Pre-req : https://www.youtube.com/watch?v=sbVIEQgrU2k
Note : For learning purpose use same password - Oracle123
1) Installation
OIM/OAM 11.1.2.2
#Certification Matrix - bible fo
r installation of FMW Products - "oim 11.1.2.2 certification matrix" or "oam 11
.1.2.2 certification matrix"
1. DB 11.2.0.1
A) Install
#xhost +
#su - oracle
$cd /stage/database
./runInstaller
B) Create the DB
$dbca

#Tune the DB

C) Create Listener
$netca
D) Tune the DB #Tuning - OIM/OAM
4 parameters
1. open_cursors :
2. processes
:
3. sessions
05

1000
1000
:

Processes+? = 11

4. DB Character Set : AL32UTF8

Checkpoint : DB is ready for RCU.
2. RCU 11.1.2.2
pre-req : DB and listener must be up and running.
Schema in the DB, is also called as DB user, a schema is collect
ion of DB objects(table, sp, func, a...)
30 schema, 71894 - objects.
RCU -> create schema for FMW Components
#xhost +
su - oracle
cd /stage/rcu11.1.2.2/rcuHome/bin
./rcu
Select below components :
1) OID - ods
2) OIM - DEV_OIM, DEV_MDS, DEV_OPSS, DEV_SOAINFRA, DEV_ORASDPM
3) OAM - DEV_OAM, DEV_IAU
=> 41 schema, 77672 - objects.
Checkpoint : DB is fully ready with all schema for configuration & integration p
hase.
==
3. Weblogic 10.3.6 using [Custom JDK 1.6 Update 35+] - Application Serve
r/Container - JDBC, JMS..
#xhost +
su - weblogic
cd /stage
ls
wls1036_generic.jar(2 JDK - Sun, Jrockt - 32bit - 4 GB JVM HeapSize), In
stead Use Custom JDK(Sun, Jrockt - 64bit => upto 32GB JVM Heap Size)
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
java -version
which java
java -jar wls1036_generic.jar
/d01/Weblogic/FMW

Middleware Home

/d01/Weblogic/FMW/wlserver_10.3 = WLS_HOME

4. IDM Suite 11.1.1.7 (OID/OVD...)

xhost +
su - weblogic
cd /stage/idmSuite11.1.1.7/Disk1
./runInstaller
oracle_common : all product reference.
Oracle_IDM1 :
Oracle Internet Directory
:
built in C, LDAP Server.
Oracle Directory Integration Platform :
ODIP is used for
LDAP Servers Sync (AD <===>OID)
Oracle Virtual Directory
:
Virtualization, Integrate any datasource - LDAP Servers, DB Table, WebService.
Oracle Identity Federation
:
Facebook(ABC Ent Group[1,2,3,4...])
=>
ABC Ent(1,2,3,4...) ==>
Federated/Cross Domain SSO
Oracle HTTP Server
:
Internal OVD and OIF
Oracle Directory Service Manager
:
J2EE App
, to manage OVD/OID
Enterprise Manager
:
Control OID/OVD..

5. IAM Suite 11.1.2.2 (OIM/OAM)

xhost +
su - weblogic
cd /stage/iamSuite_11.1.2.2/Disk1
./runInstaller
/stage/jdk1.6.0_35/
Oracle_IAM1
Oracle Identity Manager Server
J2EE App, internal threats, prevents unwarranted access, Access Control
m, Review System.
Oracle Identity Manager Design Console :
sed OIM Client
Oracle Identity Manager Remote Manager :
pp(Cobol, Fortran- does not support any protocol)
Oracle Access Manager
:
SSO
Oracle Identity Navigator
:
Part of OPAM.
Oracle Adaptive Access Manager
Bharosa, Banking sector
Oracle Access Management Mobile and Social
Mobile- Android, iOS, Social - FB, TW, Google, LI
Oracle Privileged Account Manager
OPAM+OIN => Shared Passwords(Linux, sysdba priviledges)
Oracle Entitlement Server
:
inbuilt in OIM - Organizational Security.

:
Mechanis
Swing ba
Legacy A

:
:
:

Oracle Security Solution

s :
=> Identity Gove
rnance Suite : OIM, OIA-30%, OPAM+OIN
=> Access Manage
ment Suite :

OAM, OAAM, OIF, eSSO(H/W tokens)

=> Directory Ser

vices Suite : OID, ODSEE, OVD, OUD

#LDAP Servers
=> DB Security -

DBA
=> Cloud Securit
y - SOA 12c - OWSM Policy Manager

6. SOA Suite 11.1.1.7

#4 main features of OIM, dependent on SO

A.
xhost +
su - weblogic
cd /stage/soa11.1.1.7/Disk1
./runInstaller
/stage/jdk1.6.0_35/
Oracle_SOA1
Oracle BPEL PM, Mediator, Rules, B2B, Human Workflow
Oracle Business Activity Monitoring (BAM)
Oracle Enterprise Manager
Apply 11 interim patches on top of SOA for OIM.
Where the 11 patches? : cd /stage/iamSuite_11.1.2.2/Disk
1
ls
OIM_11.1
.2.2_SOAPS6_PREREQS.zip
mkdir -p
/stage/SOA_INTERIM_PATCHES
unzip -d
/stage/SOA_INTERIM_PATCHES OIM_11.1.2.2_SOAPS6_PREREQS.zip
cd /stag
e/SOA_INTERIM_PATCHES/SOAPATCH
How we apply the patches? :
cd /stag
e/SOA_INTERIM_PATCHES/SOAPATCH
export O
RACLE_HOME=/d01/Weblogic/FMW/Oracle_SOA1/
export P
ATH=$ORACLE_HOME/OPatch:$PATH
opatch l
sinventory
opatch n
apply
opatch l
sinventory

#11 interim patches

Checkpoint : Oracle_SOA1 is fully ready for OIM.

7. OHS 11.1.1.6 #webserver
.7, ohs 11.1.1.7 oracle_common

#soaSuite 11.1.1

xhost +
su - weblogic
cd /stage/ohs11.1.1.6/Disk1
./runInstaller
Oracle_WT1
Oracle Process Manager Notification (OPMN)
Oracle HTTP Server (OHS)
Oracle Web Cache
8. OAM OHS Webgate 11.1.2.2
xhost +
su - weblogic
cd /stage/webgate_ohs_11.1.2.2/Disk1/
./runInstaller
/stage/jdk1.6.0_35/
Oracle_OAMWebGate11gR2
OAM OHS webgate
9. OUD 11.1.2.2
(OID-{Replication Topology},[ODS-DB Schema], ODS
EE-{Larger User Base}[ApplicationServer], OVD)
OUD- Standalone J2EE app, {Repli
cation Topology},{1 billion user enteries}, Create virtual profiles(feature of O
VD).
xhost +
su - weblogic
cd /stage/OUD_11.1.2/Disk1/
./runInstaller
/stage/jdk1.6.0_35/

10. OBIEE 11.1.1.7

xhost +
su - weblogic
cd /stage/*/Disk1
./runInstaller
High Availability : 99.99%
===================
Node 1) Linux 64bit
Linux 64bit

Node 2)

A) Same OS version, patches, Directory Structure, users, group must be same

B) Node 1 and Node 2 must have the same timestamp (NTP(DNS) Server - Sync all no
de's timestamp from NTP Server)
C) All product version must be same, all Oracle Home names must be same includin
g MW_HOME Path.

===========
2) Configuration & Integration pre-req : DB + Listener to be up and running.
A) Configure OID/OVD and ODSM(J2ee App, Application Server)
#xhost +
su - weblogic
cd /d01/Weblogic/FMW/Oracle_IDM1/bin
./config.sh
1) Create a domain
oid_ovd_instance1 and IDMDomain(AdminServer, wls_ods1[ODSM])

Note : if doing cluster setup, select the "Clusterd" CheckBox.

*2) Extend Existing Domain
:
Later po
int if any of the product is needed - OIF, ODIP
*3) Expand Cluster
:
Need to run on Node2
4) Configure without a domain :
oid_ovd_instance
1
note : For custom ports, go to : /stage/idmSuite11.1.1.7/Disk1/s
tage/Response, staticports.ini, copy this file and modify for custom ports.
OID OVD Instance : /d01/Weblogic/FMW/oid_ovd_instance1
ODSM Application : /d01/Weblogic/FMW/user_projects/domains/IDMDo
main
http://idm.oraclefusion4all.com:7005/odsm
ODSM is a J2EE App and its an Oracle 'LDAP Client' for OID,OVD,
OUD.
Note : For data browsing in LDAP Server, alternatively one can a
lso use LDAP CLient like JXplorer - http://jxplorer.org/downloads/users.html
B) Work on OID(AD, OUD, ODSEE) - extend the schema, proactively create O
IM/OAM Specific users/groups in OID.
#We are going to prepare the OID(OUD, AD
, ODSEE) so that OID can be integrated with OIM and OAM.
1) Extend the OID Schema #instead of OID, it could be A
D, ODSEE, OUD etc.
Note : Directory Server doesnt have required attributes, object
classes and matching rules to support or accomodate the OIM users.
su - weblogic
cd /stage/scripts_apps/
vi extend.props
#OID Specific
IDSTORE_HOST : idm.oraclefusion4all.com
IDSTORE_PORT :3060
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn

IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=oid,
dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=oi
d,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=oi
d,dc=com
export
export
export
export
export

MW_HOME=/d01/Weblogic/FMW/
JAVA_HOME=/stage/jdk1.6.0_35
PATH=$JAVA_HOME/bin:$PATH
ORACLE_HOME=/d01/Weblogic/FMW/Oracle_IAM1
IDM_HOME=/d01/Weblogic/FMW/Oracle_IDM1

cd /d01/Weblogic/FMW/Oracle_IAM1/idmtools/bin
./idmConfigTool.sh -preConfigIDStore input_file=
/stage/scripts/extend.props
2) Create OIM Specific user/group schema in OID
#xelsysadm/Oracle123
cd /stage/scripts_apps/
vi oim.props
IDSTORE_HOST : idm.oraclefusion4
all.com
IDSTORE_PORT : 3060
IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE:cn=Users,
dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Grou
ps,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=co
m
POLICYSTORE_SHARES_IDSTORE: true
IDSTORE_SYSTEMIDBASE: cn=systemi
ds,dc=oid,dc=com
IDSTORE_OIMADMINUSER: oimadmin
IDSTORE_OIMADMINGROUP:OIMAdminis
trators
cd /d01/Weblogic/FMW/Oracle_IAM1/idmtool
s/bin
./idmConfigTool.sh -prepareIDStore mode=
OIM input_file=/stage/scripts_apps/oim.props

AD,OUD, ODSEE)

3) Create OAM Specific user/group schema in OID(

#oamadmin/Oracle123
vi /stage/scripts/preconfigOAMPropertyF

ile.rsp
IDSTORE_HOST : idm.oraclefusion4
all.com
IDSTORE_PORT : 3060

IDSTORE_BINDDN : cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users
,dc=oid,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Grou
ps,dc=oid,dc=com
IDSTORE_SEARCHBASE: dc=oid,dc=co
m
IDSTORE_SYSTEMIDBASE: cn=systemi
ds,dc=oid,dc=com
POLICYSTORE_SHARES_IDSTORE: true
OAM11G_IDSTORE_ROLE_SECURITY_ADM
IN:OAMAdministrators
IDSTORE_OAMSOFTWAREUSER:oamLDAP
IDSTORE_OAMADMINUSER:oamadmin
cd /d01/Weblogic/FMW/Oracle_IAM1
/idmtools/bin
./idmConfigTool.sh -prepareIDSto
re mode=OAM input_file=/stage/scripts/preconfigOAMPropertyFile.rsp
Checkpoint : OID(OUD, AD, ODSEE) can be integrated with OIM and OAM.
C) OVD - create adapter and understand OVD business context.

Checkpoint : OID via OVD(optional) can be integrated with OIM and OAM.
==
C) Create IAMDomain (AdminServer, oim_server1, soa_server1, oam_server1)
#xhost +
su - weblogic
cd /d01/Weblogic/FMW/oracle_common/common/bin
./config.sh
=> Create a new domain
=> OIM, OAM
Imp Note : You must not start AdminServer, soa_server1,
oam_server1 at this point of time.
Observation : AdminServer,soa_server1 ===>OPSS(nothing)=
> servers will fail.

D) Upgrade OPSS Schema

1.2.2
#xhost +
su - weblogic
cd /d01/Weblogic/FMW/oracle_common/bin
./psa
OPSS
E) Create DB security Store

#specific to 11.

#xhost +
su - weblogic
cd /d01/Weblogic/FMW/oracle_common/common/bin/
./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/con
figureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c
IAM -m create -p <OPSS Schema Password>
validate :
./wlst.sh /d01/Weblogic/FMW/Oracle_IAM1/common/tools/con
figureSecurityStore.py -d /d01/Weblogic/FMW/user_projects/domains/IAMDomain/ -c
IAM -m validate
Observation : AdminServer,soa_server1 ===>OPSS(Internal
Audit Store, Credential Store)=> servers startup will succeed.
Note : now you can start AdminServer, soa_server1 in seq
uential order.
Note : optionally in order to start the AS or MS in back
ground, proactively create boot.properties file.
cd /d01/Weblogic/FMW/user_projects/domai
ns/IAMDomain
mkdir
mkdir
mkdir
mkdir

-p
-p
-p
-p

servers/AdminServer/security
servers/oim_server1/security
servers/oam_server1/security
servers/soa_server1/security

cd /d01/Weblogic/FMW/user_projects/domai
ns/IAMDomain/servers/AdminServer/security
vi boot.properties
username=weblogic
password=Oracle123
cp boot.properties ../../oim_server1/sec
urity/
cp boot.properties ../../oam_server1/sec
urity/
cp boot.properties ../../soa_server1/sec
urity/
Server life cycle : http://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/o
verview_lifecycle.html
F) Start AdminServer, soa_server1

#understand server lifec

ycle.
cd /d01/Weblogic/FMW/user_projects/domains/IAMDomain/bin
nohup ./startWebLogic.sh &
tail -f nohup.out
nohup ./startManagedWebLogic.sh soa_server1 &
tail -f nohup.out

G) Configure OIM

#LDAPSync

Pre-req : DB + Listener + oid_ovd_instance + AdminServer + soa_s

erver1
cd /d01/Weblogic/FMW/Oracle_IAM1/bin
./config.sh
Enable LDAP Sync : LDAP sync synchronizes Oracle Identit
y Manager users, roles, role membership and role hierarchy to a LDAP directory.
Any direct changes in the directory will be reconciled back to Oracle Identity M
anager.
Choice : you can start Node Manager and then start any managed s
erver from admin console, or using script
1) Node Manager :
cd /d01/Weblogic/FMW/wlserver_10.3/server/bin/
nohup ./startNodeManager.sh &
or
2)
cd /d01/Weblogic/FMW/user_projects/domai
ns/IAMDomain/bin
nohup ./startManagedWebLogic.sh oim_serv
er1 &
tail -f nohup.out
===
Checkpoint : Configuration & integration phase has provided DB + listner + oid_o
vd_instance1 + IAMDomain(AdminServer, soa_server1, oim_server1)
==================================================================
3) OIM Administration A) Consoles/Interface :
OIM :
1. Identity/OIM console : All Enterprise users will have
access to this console
http://idm.oraclefusion4all.com:14000/identity/
or
http://idm.oraclefusion4all.com:14000/oim
xelsysadm/Oracle123
2. Sysadmin console
trator' Role will have access to this console

:Only members of 'System Adminis

http://idm.oraclefusion4all.com:14000/sysadmin
3. Design Console
#only 'System Administrator' wil
l have access to it and mainly developers use this.
#xhost +
su - weblogic
===
One time activity
cd /d01/Weblogic/FMW/wlserver_10
.3/server/lib
export JAVA_HOME=/stage/jdk1.6.0
_35/
export PATH=$JAVA_HOME/bin:$PATH
java -jar wljarbuilder.jar
cp wlfullclient.jar /d01/Weblogi
c/FMW/Oracle_IAM1/designconsole/ext/

===
cd /d01/Weblogic/FMW/Oracle_IAM1/designconsole/
./xlclient.sh
SOA
1. SOA-INFRA

#All composite list

http://idm.oraclefusion4all.com:8001/soa-infra/
weblogic/Oracle123
2. BPM Worklist app

#in OIM this is INBOX

http://idm.oraclefusion4all.com:8001/integration
/worklistapp
weblogic/Oracle123
3. SOA Composer
cted Application Instances

#Disconnected Resources/Disconne

http://idm.oraclefusion4all.com:8001/soa/compose
r
weblogic/Oracle123
http://idm.oraclefusion4all.com:7001/em
http://idm.oraclefusion4all.com:7001/console
B) LDAP Sync :
<= OAM

Business Context : HRMS(2000) => OIM(2000) === OVD[OID/AD-2000]

#1. Manually 2. Trusted Recon 3. Bulk Load 4. OAM
what : LDAP sync synchronizes OIM users, roles, role membership

, new user registration and role hierarchy to a LDAP directory.

Any direct changes in the directory will be reco
nciled back to Oracle Identity Manager.
How
: Sysadmin Console => IT Resource => 'Directory Server
'
Troubleshooting :

Sysadmin Console => IT Resource => 'Dire

ctory Server'
C) Connector Bundle : 31+ Applications Connectors
D) Install Connector - OUD -> LDAP(OID-11.1.1.6.0)
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
1. Copy the connector bundle to Connector Default Direct
ory
copy "OID-11.1.1.6.0" folder to
/d01/Weblogic/FMW/Oracle_IAM1/server/ConnectorDefaultDirectory

Manage Connector = Install

Note : In case connector fails to install, follow : http
://oraclefusion4all.blogspot.in/2015/03/connector-installation-fails-in-oim-11g.
html
Note : Broken Pipe - Could be due to corrupt binaries.
1. Configuration of Connector Libraries
2. Import of Connector XML Files (Using
Deployment Manager)
3. Compilation of Adapter Definitions

E) In real environment, it is not needed. #By default Target Applicatio

ns and trusted application will be there.
1. Prepare OUD Instance 1 as trusted application.
#xhost +
#su - weblogic
cd /d01/Weblogic/FMW/Oracle_OUD1/
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
./oud-setup
/d01/Weblogic/FMW/asinst_1
Hostname
port
Admin
password
Base DN
Users

:
:
:
:
:
:

idm.oraclefusion4all.com
1389
cn=Directory Manager
Oracle123
dc=trusted,dc=com
2000

Note : In LDAP Browser provide the connection details an

d observe the data.
2. Prepare OUD Instance 2 as target application.
#xhost +
#su - weblogic
cd /d01/Weblogic/FMW/Oracle_OUD1/
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
./oud-setup

#Enable LDAP Sec

ure Access.
/d01/Weblogic/FMW/asinst_2
Hostname
port
Admin
password
Base DN
Users

:
:
:
:
:
:

idm.oraclefusion4all.com
2389
cn=Directory Manager
Oracle123
dc=target,dc=com
0

Note : In LDAP Browser provide the connection details an

d observe the data.
Checkpoint : Trusted App(Simulated HRMS system with 2000 users) and Target Appli
cation(0 users) is in place.
======
F)
Create IT Resource #Connection objects to trusted application an
d target applications.
#Note : In real environment, the
connection details will be supplied by HRMS Admin or target applications admin,
with the help of connector documentation.
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
IT Resource
1. TrustedAppITResource
baseContexts
:

"dc=trusted,dc=com"
Configuration Lookup

Connector Server Name

credentials

Lookup.LDAP.OUD.Configuration.Trusted
:

Oracle123
failover

host
:

idm.oraclefusion4all.com

1389

cn=Directory Manager

false

port
principal
ssl

2. TargetAppITResource
baseContexts
:

"dc=target,dc=com"
Configuration Lookup

Connector Server Name

credentials

Lookup.LDAP.OUD.Configuration
:

Oracle123
failover

:
host
:

idm.oraclefusion4all.com

2389

cn=Directory Manager

false

port
principal
ssl

G) Trusted Reconciliation
Pre-req : Connector for trusted app must be installed and IT Resource to
Connect to the trusted application must be there.
HRMS - Create, Modify(Horizontal/vertica
l) and Delete
2 Jobs :
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
Scheduler => *Trusted*
ce)
TResource)

1. LDAP Connector Trusted User Reconciliation(TrustedAppITResour

#Create/Modify
2. LDAP Connector Trusted User Delete Reconciliation(TrustedAppI
#Delete or Rogue Users

H) Provisioning Configuration
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123

1. Create Sandbox
#Sandboxes allow
you to isolate and experiment with customizations without affecting other users
environments.
2. Create Application Instance (Specific to each target
application- its a collection of IT Resource[Connection Object to target applic
ation] and Resource Object[LDAP User, AD User - specific to Connector])
3. Using the Form Designer create object form and reflec
t it in Application Instance.
4. Publish the sandbox
5. Lookup Configuration and verification
Scheduler => LDAP Connector OU Lookup Re
conciliation(TargetAppITResource)
1. Direct/Manual Provisioning
Use case : On Ad-hoc basis provision the user to
target application. Only users part of System Administrators role can do this.
2. Auto or Criteria based Provisioning
Use Case : User Provisioning to Email Server
Use Case : Based on Any user attribute, provisio
n the user to the target application.
e.g. Any User having org = finance and Country =
US then provision the user to target application.
Steps :
http://idm.oraclefusion4all.com:
14000/oim
xelsysadm/Oracle123
1. Create a Role
2. Create Membership Rule on top of the Role
http://idm.oraclefusion4all.com:14000/sy
sadmin
xelsysadm/Oracle123
Access Policies =>
3. Create Access Policy (Role[s] + Resource[s])
4. if needed run Scheduled Job - "Evaluate User
Policies"
Observe life cycle.

3. Request Based Provisioning

Entities :
1.
2.
3.
4.
5.

Requester
Beneficiary
Catalog Item
Beneficiary's Management Line
Operational Level Management Line

6. Route Slip[weblogic]
SOA Level : 2 workflow
A) Request Level WF : Beneficiar
y's Management Line
B) Operational Level WF : Operat
ional Level Management Line
Note : OIM Developer(SOA) will p
rovide the SOA Composites(RL, OL) Jars.
Deploy the 2 composites/jars(RL, OL)
http://idm.oraclefusion4all.com:7001/em
weblogic/Oracle123
soa-infra - deploy
OIM Level :
http://idm.oraclefusion4all.com:
14000/sysadmin
xelsysadm/Oracle123
Approval Policies

licy

A) Request Level Approval Policy

=> Request Level WF : Beneficiary's Management Line
B) Operational Level Approval Po
=> Operational Level WF : Operational Level Management Line

Note : Each request type(OIM ope

ration e.g. : Provision Application Instance) may have 2 levels - Request Level
and Operational Level

Observe the Life Cycle :

=========
Disable 2 properties : Reset Pas
sword and set security questions.
http://idm.oraclefusion4all.com:
14000/sysadmin
xelsysadm/Oracle123
System Configuration =>
Disable Force Password Change and Force set security questions.
=========
4.

Combine Request Based provisioning with Auto Pro

visioning
Use Case : For critical resources before auto pr
ovisioning happens make approval mandatory.
A) Modify the access policy(Role+Resource+With A

pproval = Yes)
B) Create 2 set of Approval Policies based on re
quest type - "Access Policy Based Application Instance Provisioning"
Life Cycle :
5. Proxy :
=> If Approver User is on leave, he/she
can set someone else as Approver User.
=> Proxy can not set another user as pro
xy for the set duration.
=> Multiple proxies are allowed without
any conflict in date.
rces

6. Disconnected Application Instances/Disconnected Resou

#Extension of request based provisioning.
e.g. - Any critical H/W device - Requestable/Aud

itable
Server Room Biometric Access Card
-> Management Approval
-> Operational Approval
-> Fulfilment Approval and hando
ver.
http://idm.oraclefusion4all.com:14000/sy
sadmin/
xelsysadm/Oracle123
A) Create Sandbox
B) Create Disconnected Application Insta
nce
C) Extend the Form with User and Device
Specific Tags.
D) Publish the sandbox.
Note : If Discon
nected App inst doesnot reflect in Catalog run the Catalog Sync Job.
Note: optionally
modify the approval policies.
E) Using SOA Composer modify the Fulfilm
ent User/Role based on business need.
http://idm.oraclefusion4
all.com:8001/soa/composer
weblogic/Oracle123
Open Task => Open Discon
nectedProvisioning Rule.
Life Cycle
7. Bulk Load
=> Users, Account Data, Roles, R
ole Membership, Role Hierarchy, Role Categories.
=> .csv file or DB table.

cd /d01/Weblogic/FMW/Oracle_IAM1
/server/db/oim/oracle/Utilities/oimbulkload
cd scripts/
./oim_blkld.sh
export JAVA_HOME=/stage/jdk1.6.0
_35/
export PATH=$JAVA_HOME/bin:$PATH
/u01/app/oracle/product/11.2.0/d
bhome_1/
//idm.oraclefusion4all.com:1521/
IDMDB11g
8. Entitlement Configuration
=> What is Role to the OIM, entitlement
is to the target application.
=> A group(s) on target application, is
nothing but entitlement in OIM.
=> Responsibilities(Ebiz) are also entit
lement.
=> Entitlements are always associated wi
th Application Instance.
====
This step is for learning purpose :
cd /stage/scripts
vi OUD_TargetEntitlement.ldif
dn: cn=Groups,dc=target,dc=com
cn: Groups
objectClass: top
objectClass: orclContainer
dn: cn=Accounts Payable Administrator,cn
=Groups,dc=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
dn: cn=Accounts Payable User,cn=Groups,d
c=target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
dn: cn=BI Publisher Users,cn=Groups,dc=t
arget,dc=com
cn: staticGroup

objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
dn: cn=San Francisco Users,cn=Groups,dc=
target,dc=com
cn: staticGroup
objectClass: top
objectClass: groupOfUniqueNames
uniquemember: cn=USER.1000,ou=People,dc=
target,dc=com
Step 2. Create groups in OUD, using LDIF file
cd /d01/Weblogic/FMW/asinst_2/OUD/bin
export JAVA_HOME=/stage/jdk1.6.0_35/
export PATH=$JAVA_HOME/bin:$PATH
./ldapmodify -a -h idm.oraclefusion4all.com -p 2389 -D "
cn=Directory Manager" -q -f /stage/scripts/OUD_TargetEntitlement.ldif
===
Populate(create/modify/delete) the entitlements
in OIM specific to target application :
http://idm.oraclefusion4all.com:14000/sy
sadmin
xelsysadm/Oracle123
Scheduler => "*Group Lookup Reconciliati
on"(Provide IT Resource)
1. LDAP Connector Group Lookup Reconcili
ation(TargetAppITResource)
1.1. Entitlement List
1.1. Entitlement Assignments
2. Entitlement Post Delete Processing Jo
b

9.

Review System (periodically review the s

ystem access for various users)

1. Attestation -

OIM 9i

http://idm.oracl
efusion4all.com:14000/sysadmin
xelsysadm/Oracle

123
Attestation Conf
iguration => Create Attestation Process
(User Scope, Res
ource Scope[Resource Objects & Roles], Schedule,Reviewer, Process Owner)
Life Cycle = ?
===
To kickstart : h
ttp://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
Scheduler => Initiate Attestation Processes
===
2. Certification - OIA, 11.1.2 =
No certification, 11.1.2.1 = Certification, 11.1.2.2 = Enhanced Certification
=> How to enable
Certification ?
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
System Configuration => "Display Certification or Attestation"
Value = Certification or Attestation or Both
Restart the OIM Server and observe the certification features(enabled) in OIM Co
nsoles.
=> Certification
Features :
A) Set R
isk Level , certifier user For all catalog items.
B) Set c
ertifier user at organization level.
B1) Risk
Configuration & Certification Configuration are used in Certification Definitio
n.
C) Certi
fication Definition => Scheduled Job => Invoke the certification Process Soa Com
posite.
D) Certi
fication Configuration

=> Multi phase certification

=> Offline Certification
=> Closed Loop Remediation #bug - need BP04 = OIM 11.1.2.2.4
E) Event
Listeners

= #Bug
F) Offli

ne Certification #Bug need genuine Excel plugin from Support.

Note : C
ertifier Role at catalog items not supported till OIM 11.1.2.4
Note : i
f you change risk configuration from default, always run scheduled job => 'Risk
Aggregation Job'

10.

Diagnostic Dashboard
deploy the Application :
cd /d01/Weblogic/FMW/Oracle_IAM1

/server/webapp/optional
ls
XIMDD.ear
http://idm.oraclefusion4all.com:
7001/console
weblogic/Oracle123
Deployments => XIMDD.ear (As an
application, targeting towards AdminServer,oim_server1,soa_server1).
http://idm.oraclefusion4all.com:
14000/XIMDD
xelsysadm/Oracle123
11. Target/Account Reconciliation
http://idm.oraclefusion4all.com:14000/sysadmin
xelsysadm/Oracle123
Scheduler => *User Search*
conciliation
tion
ed on target app.

A) LDAP Connector User Search Delete Re

#If account of the OIM user is deleted on target app
B) LDAP Connector User Search Reconcilia
#If account of the OIM user is modified or creat

12. Deployment Manager - Export/Import

13. Password Policies => are always applicable to Organi

zations.
14. Organizational Security : ?
15. OIM Auditing and reporting
http://docs.oracle.com/cd/E27559_01/admi
n.1112/e27149/audit.htm#OMADM3017
A) OIM Auditing Works = http://docs.orac
le.com/cd/E27559_01/admin.1112/e27149/img/component.gif
B) OIM Audit Level = What level of audit
data need to be captured.
http://idm.oraclefusion4all.com:14000/sy
sadmin/
xelsysadm/Oracle123
System Configuration => "User profile au
dit data collection level"
Value : Process Task
6. Process Task: Audits the enti
re user profile snapshot together with the resource lifecycle process.
5. Resource Form: Audits user re
cord, role membership, resource provisioned, and any form data associated to the
resource.
4. Resource: Audits the user rec
ord, role membership, and resource provisioning.
3. Membership: Only audits the u
ser record and role membership.
2. Core: Only audits the user re
cord.
1. None: No audit is stored.

C) OIM integration with BI Publisher

2 things required : 1. templates
2. data need to be populated in these templates.
On OIM Node :
cd /d01/Weblogic/FMW/Ora
cle_IAM1/server/reports
ls
oim_product_BIP11gReport
s_11_1_2_2_0.zip

#templates
copy the templates zip f

ile to BI Node.
scp oim_product_BIP11gRe

ports_11_1_2_2_0.zip weblogic@bi:/tmp/OIMReportTemplates
On BI Publisher Node :
cd /tmp/OIMReportTemplat
es
ls
oim_product_BIP11gReport
s_11_1_2_2_0.zip
http://bi.raje.com:9704/
xmlpserver/
weblogic/Oracle123
Catalog => Shared Folder
=> There are no OIM reports
1. Populate the reports
A) unzip the rep
orts zip file to /d01/weblogic/FMW/user_projects/domains/bifoundation_domain/con
fig/bipublisher/repository/Reports/
unzip -d /d01/we
blogic/FMW/user_projects/domains/bifoundation_domain/config/bipublisher/reposito
ry/Reports/ /tmp/OIMReportTemplates/oim_product_BIP11gReports_11_1_2_2_0.zip
B) in BI Console
:
http://b
i.raje.com:9704/xmlpserver
weblogic
/Oracle123
Administ
ration > Server Configuration
Verify => BI Publisher repository
: /d01/weblogic/FMW/user_project
s/domains/bifoundation_domain/config/bipublisher/repository
Click on => "Upload to BI Presentation Catalog"
2. Populate data in the
reports
http://b
i.raje.com:9704/xmlpserver
weblogic
/Oracle123
Administ
ration => JDBC Connection
Add Data Source

1. OIM JDBC
2. BPEL JDBC

:
:

DEV_OIM

DEV_SOAINFRA

Administration > Server Configuration

Click on => "Upload to BI Presentation Catalog"
=> 8 types of OIM report
s with Data.
16. Organizational Security
"Need to know basis" - PSFT HRMS App - A
pplication Instance, Entitlements, Roles.
====
4) OAM Administration -