You are here:>>>How To Integrate Oracle Identity Manager and Oracle Access Manager

How To Integrate Oracle Identity Manager and Oracle Access Manager

Video Tutorial

In this post I will show you how to integrate Oracle Identity Manager and Oracle Access Manager on Oracle Linux 6.7.  After this integration, OAM will be able to use sophisticated user profile and password management functionalities.

Please watch the video for detailed explanation and demo of integration steps.

Benefits Of OIM-OAM Integration

  • User & Password Management Capabilities
  • Forgot Password & Forgot User ID
  • Challenge Questions & Answers
  • Self Registration
  • Profile Management

Integration Prerequisites

  • LDAP Synchronization
  • Wlfullclient Jar File Creation
    • Navigate to Weblogic Home and execute below commands to create wlfullclient.jar file

Integration Overview

OIM OAM Integration Steps

Integration Steps

  • Make sure below environment variables are set

  • Create “extendOAMPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Create “preconfigOAMPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Create “preconfigOIMPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Create “preconfigWLSPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Create “preconfigFAPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Create “OAMconfigPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Create “OIMconfigPropertyFile” with below contents

  • Navigate to IDM Tools directory and execute below command

  • Remove default IAM Suite Agent from Weblogic Security Providers
    • Login to Weblogic Administration Console
    • Navigate to Security Realms – myrealm – Providers.
    • Select IAMSuiteAgent and click delete
    • Save and activate changes
  • Restart Weblogic Admin Server & all Managed Servers

OHS Front End Configuration

  • Navigate to OHS instance directory and create oiam.conf file under moduleconf

  • Make sure oiam.conf file is included in httpd.conf
  • Copy ObAccessClinet.xml & cwallet.sso to Webgate config directory

  • Restart OHS

Validating Integration

  • Login to OIM & OAM consoles using below URLs

  • Please check out the video for a demo of user and profile management capabilities in integrated environment.

Thats It !! You have an integrated Oracle Identity Manager & Oracle Access Manager environment and you have seen a demo on various user & profile management functionalities added after the integration.

Hope you found this post helpful. If you have any questions please post in the comments section. Please watch my video for detailed explanation and demo.

2016-12-08T18:20:42+00:00

About the Author:

I am a Senior Cloud Professional specialized in AWS Cloud with 11 years of IT experience. I am enthusiastic about Serverless Architecture. I am an expert in Oracle Fusion Middleware.

11 Comments

  1. Karthick May 14, 2016 at 11:56 AM - Reply

    Thank you !

  2. Federico June 10, 2016 at 8:20 PM - Reply

    Hi Prasad. This is one of my favorite videos. I would like to ask you if you think that an AWS Instance with 8GB RAM will be able to “move” this lab and some basic testing or I should choose one with 16GB RAM. Last question is if you have some OVA or Virtual Machine with this lab ( that would be really awesome ) ! . Thanks a lot.

  3. Federico June 11, 2016 at 12:40 AM - Reply

    Hi Prasad , another blog entry already answered to my previous question :

    “If you are running this on a Vmware with less than 12GB RAM, you might get out of memory exceptions. You can stop OAM related Managed Servers (WLS_OAM,WLS_OAMPM & WLS_OMSM) to free up some memory”

    Thanks,
    Federico

  4. Satheshkumar Napoleon July 6, 2016 at 6:35 PM - Reply

    Hi Prasad,

    While integrating OAM with OIM, stuck up with this issue. Can you help me sort this out.

    [oracle@den01ecd bin]$ ./idmConfigTool.sh -configOIM input_file=OIMconfigPropertyFile
    Enter oam11g domain admin user password :
    Enter sso access gate password :
    Enter mds db schema password :
    Enter idstore admin password :
    Enter admin server user password :
    Enter IDSTORE_WLS_ADMIN_USER Password :
    Connection to Directory failed: Invalid Bind credentials

    [I’ve used the same password for all execution using ./idmConfigTool.sh]

    I’ve installed OHS, Webgate in host A.
    OAM in host B.
    OIM & OUD in host C.

    [oracle@den01ecd bin]$
    [oracle@den01ecd bin]$ cat OIMconfigPropertyFile
    LOGINURI: /${app.context}/adfAuthentication
    LOGOUTURI: /oamsso/logout.html
    AUTOLOGINURI: None
    ACCESS_SERVER_HOST: den01gco.us.oracle.com
    ACCESS_SERVER_PORT: 5575
    ACCESS_GATE_ID: Webgate_IDM
    COOKIE_DOMAIN: .oracle.com
    COOKIE_EXPIRY_INTERVAL: 120
    OAM_TRANSFER_MODE: Open
    WEBGATE_TYPE: ohsWebgate11g
    OAM_SERVER_VERSION: 11g
    OAM11G_WLS_ADMIN_HOST: den01gco.us.oracle.com
    OAM11G_WLS_ADMIN_PORT: 7001
    OAM11G_WLS_ADMIN_USER: weblogic
    SSO_ENABLED_FLAG: true
    IDSTORE_PORT: 1389
    IDSTORE_HOST: den01ecd.us.oracle.com
    IDSTORE_DIRECTORYTYPE: OUD
    IDSTORE_ADMIN_USER: uid=oamLDAP,ou=SystemIds,dc=oracle,dc=com
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: ou=People,dc=oracle,dc=com
    IDSTORE_GROUPSEARCHBASE: ou=Groups,dc=oracle,dc=com
    MDS_DB_URL: jdbc:oracle:thin:@den01drx.us.oracle.com:1521/orcl
    MDS_DB_SCHEMA_USERNAME: PROD_MDS
    WLSHOST: den01ecd.us.oracle.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    DOMAIN_NAME: OIM_domain
    OIM_MANAGED_SERVER_NAME: oim_server1
    DOMAIN_LOCATION: /u01/app/Oracle/Middleware/user_projects/domains/OIM_domain/
    IDSTORE_WLSADMINUSER: weblogic_idm

  5. Satheshkumar Napoleon July 7, 2016 at 4:02 PM - Reply

    Basically I don’t know what are the passwords to be given and when we created those passwords.

    [oracle@den01ecd bin]$ ./idmConfigTool.sh -configOIM input_file=OIMconfigPropertyFile
    Enter oam11g domain admin user password :
    Enter sso access gate password :
    Enter mds db schema password :
    Enter idstore admin password :
    Enter admin server user password :
    Enter IDSTORE_WLS_ADMIN_USER Password :
    Connection to Directory failed: Invalid Bind credentials

    I don’t know where exactly I need to give the newly generated password in the above. And also I’m not asked to enter oamLDAP password for OIMCONFIG.

    Below is my understanding. Please correct me.

    Enter oam11g domain admin user password : [OAM Weblogic admin server password]
    Enter sso access gate password : [OAM Weblogic admin server password]
    Enter mds db schema password : [PROD_MDS Schema password]
    Enter idstore admin password : [Not sure which password to use. Is this /u01/app/Oracle/Middleware/my-oud-instance1/OUD/config/admin-keystore.pin ?? And can you tell me when we create password for this idstore admin?]
    Enter admin server user password : [Not sure which admin server and when I created this]

    Enter IDSTORE_WLS_ADMIN_USER Password : [using the password which I entered during creation of mode=WLS. weblogic_idm password
    [oracle@oraclelinux6 bin]$ ./idmConfigTool.sh -prepareIDStore mode=WLS input_file=preconfigWLSPropertyFile
    Enter ID Store Bind DN Password :
    Cannot connect to the OUD Admin connector
    *** Creation of Weblogic Admin User ***
    May 10, 2016 10:44:55 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/Oracle_OIAM//idmtools/templates/oud/oam_user_template.ldif
    Enter User Password for weblogic_idm:
    Confirm User Password for weblogic_idm:]

    P.S. I’ve just installed and configured OUD. I don’t have ODSM.

    • pdomala July 7, 2016 at 4:58 PM - Reply

      Enter oam11g domain admin user password : Weblogic Password for OIAM Domain
      Enter sso access gate password : Access Gate Password can be anything. This will be seeded into the agent that gets created during OIMConfig
      Enter mds db schema password : MDS Schema Password
      Enter idstore admin password : This is the admin user password of OUD/OID. For OUD it will be “cn=Directory Manager” password and for OID it will be “cn=orcladmin” password
      Enter admin server user password : Weblogic Password
      Enter IDSTORE_WLS_ADMIN_USER Password : This is weblogic_idm password

  6. Satheshkumar Napoleon July 7, 2016 at 7:18 PM - Reply

    Prasad, thanks for your response.

    All my passwords are same in my case. But not sure which one is wrong.
    Is there a way finding which password is throwing error as invalid in my case “Connection to Directory failed: Invalid Bind credentials”?
    Or what’s the best way?

  7. Satheshkumar Napoleon July 7, 2016 at 7:24 PM - Reply

    Just a brief on my setup.
    Host A -> OAM
    Host B -> OIM & OUD. [No ODSM]
    Host C -> OHS & Webgate

    When you say “Enter admin server user password : Weblogic Password”, is this OAM/OIM weblogic password or anything else?
    [Anyways In my case both the passwords are same]

  8. Pete Sandhu October 13, 2016 at 3:10 AM - Reply

    Hi Prasad,Thanks for a great video!!! I do have a question.. The Integration documentation says that we should use Split_Domain when integrating OIM and OAM.. I understood that split domains means installing OAM and OIM in separate weblogic domains, each with its own Admin Server, but you are not installing it the same way So, in my case the domain directories look like this OIM -<$ORACLE_MIDDLEWARE_HOME$/user_projects/OIMDomain OAM <$ORACLE_MIDDLEWARE_HOME$/user_projects/OAMDomain .. Is there something wrong with my understanding of what is meant by "Split_Domain"? Can OAM and OIM reside under the same domain as you have ?

    • pdomala December 8, 2016 at 6:48 PM - Reply

      Hello

      Yes OIM & OAM can run in same domain. Its fine for non-prod / development environments. But oracle strongly recommends to put these two in separate domains for production environments.

  9. Pradeep February 1, 2017 at 7:42 PM - Reply

    Hi Prasad,

    Webgate_IDM_11g folder was not generated in DOMAIN_HOME/ouput after all steps were executed successfully. Any idea where could be the issue.

    Thanks,
    Pradeep

Leave A Comment