Configure OAM Domain


We are done with installation of binaries. Now it's time to configure the OAM domain.

Run config.sh located in <Middleware_Home>/wlserver_10.3/common/bin.


Config.sh will check Middleware directory and list out all the available binaries/services which can be configured.

Select 'Oracle Access Management And  Mobile Security Suite - 11.1.2.3.0 [Oracle_IDM1]' and few services will automatically be selected. OAM uses those services in the background.



Mention the name of your domain along with the path of your domain and application location. I am using the default name and path.


Give the Admin name and password used for the first time startup and access your server. Later you can change or create more admin users.


Select the deployment mode and certified JDK


Fill in the Database connection details along with Schema Owner and Password ( the schema we created by running RCU). Select each component schema one at a time because the schema owners are different.


The connection to the schema will be checked using the schema owner name and password. A green tick as status means success. If you are getting a red cross in status, it means connection to that schema has failed. In failure case check 'Connection Result Logs' and try to connect to the same schema from CLI or sql developer using the same schema owner and password.


Select 'Administration Server' and 'Managed Servers,Clusters and Machines'


Fill in your Admin Server name, listening address and port. I am leaving it with default values.


Till PS2 OAM server takes care of Policy management but PS3 onward there will be a dedicated Policy Manager server. Now OAM will need a Policy Manager server to work. I am also configuring Oracle Mobile Security Manager server.

I am proceeding with a single server instances. Later, we will extend this infrastructure to incorporate one more server instance.


Configure a cluster. With single instance we can't leverage the advantages of cluster.


Assign the servers from the left pane to the clusters created.


Create a machine.


Assign the servers from the left pane to the machines created in above step.


Review the summary before clicking create button.




We are done configuring OAM domain but there is still one more step left before we proceed with the configuration of the database security store.

Well, it is always recommended by oracle to upgrade the Oracle Platform Security Services (OPSS) schema that you have created using RCU. OPSS is a separate product and most of the Oracle IDAM suite products uses OPSS.

Launch "psa" from <Middleware_Home>/oracle_common/bin


Select Oracle Platform Security Services.


As OPSS is handles core configurations of the product, it is always recommended to take backups before touching them. As this is a fresh setup and all the DB schema are empty (We haven't run configSecurtityStore.py script). I am selecting the checks and proceeding to the next step.


Give the connection details



As the product is recently launched along with the rcu so it is upgraded to the latest version. I will just proceed till the end of flow.





Now to the last step. That is configuring the database security store. By running configureSecurityStore.py script we configure the domain to use a database security store. We will execute the configureSecurityStore.py in WLST and pass the necessay parametrs required. The syntax is as follow:

<Middleware>/oracle_common/common/bin/wlst.sh <IAM_Home>/common/tools/configureSecurityStore.py
-d <domaindir>
-c IAM
-p <opss_schema_pwd>
-m create

Note: Only use 'IAM' to configure the security store.



Just to be sure I will validate my security store by passing validate parameter.

 <MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m validate



I have seen few cases where 'configureSecurityStore.py' script will error out while configuring DB security store. When they run configSecurityStore.py script with create option it errors out with some exception. In such scenarios:
- Run the above validate command. If it says security store not configured then you can again proceed with create option.
- But if it says validation successful you can try starting the server which is (most likely) bound to fail.
- Try running validate_fix. Use validate_fix to fix diagnostics data present in the Security Store.


- If all above steps fails then drop the schema by running RCU. Again create a new schema using the same RCU. Delete the domain and recreate it using config.sh and run configSecurityStore.py script.

When you create domain the configurations are stored in flat file. By running configSecurityStore.py script, you these configuration will be moved to DB in encryped form. If configSecurityStore.py fails the server will not come up or some deplyment will fail.

Now we can start our OAM server.



If you will notice after first startup a new folder has been created 'servers'. All the runtime related files are cached and stored under this directory.

What if we delete this servers folder, what will happen then? Find it out yourself:
- Stop your Admin/Managed server
- Delete server folder.
- Now, start the servers

Thank you for reading.
Posted by 1 comment:

OAM 11gR2 PS3 Installation.


Today we are going to install OAM 11.1.2.3.0. The high level steps include:

 - Installing and Setting up DB
 - Running RCU
 - Installing Weblogic
 - Installing OAM

Before proceeding with the installation you must go through the certification matrix and acquire the compatible binaries from e-delivery. Also check the JDK version and use the certified jdk based on the OS you are using. I am going to focus on OAM installation and will not discuss DB installation.

DB post installation

OAM 11gR2 PS3 is only supported with Oracle DB. You will find many blogs and videos which explains step by step DB installation process. Post installation you need to alter below DB processes:

Login to sqlplus with a user having sysdba privileges and run below command

alter system set processes=500 scope=spfile;
alter system set open_cursors=1500 scope=spfile;
alter system set session_cached_cursors=500 scope=spfile;
alter system set session_max_open_files=50 scope=spfile;
alter system set aq_tm_processes=1 scope=spfile;
alter system set job_queue_processes=10 scope=spfile;
shut immediate;
startup;

These are the minimum configuration recommended by oracle. Later, when your environment is ready, you need to do a performance testing and fine tune your DB for maximum results.


 Running RCU

For 11gR2 PS3 you need use the 11g Release 1 (11.1.1.9.0) version of the Oracle Fusion Middleware
Repository Creation Utility.

Unzip the binary and run 'rcu' located in rcuHome/bin



Fill in the connection details of DB instance.


 Give the preferred prefix and select 'Oracle Access Manager' and 'Oracle Mobile Security Manager'

You also need to select 'Oracle Mobile Security Manager' schema even if you just need Oracle Access Management. By default, Oracle Mobile Security Suite is installed with Oracle Access Management. 

By selecting Oracle Mobile Security Manager, the following schemas are also selected, by default:
– AS Common Schemas - Oracle Platform Security Services
– AS Common Schemas - Metadata Services
– AS Common Schemas - Audit Services
– Identity Management - Oracle Access Manager

If you manually select the Oracle Access Manager schema, then Oracle Mobile Security Manager schema will not be selected by default. In this case, you need to manually select the Oracle Mobile Security Manager schema because when you install and configure Oracle Access Management in a WebLogic domain, the Oracle Mobile Security Manager server is installed and configured in the domain by default.

Also note that if you are creating schemas for Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager on the same database, then it is recommended to provide different schema prefixes to make sure that Oracle Platform Security Services and Metadata Services schemas are not shared. Else you will face issues at later stages.


 Set a password for these schemas and remember it, as it will be required at later stage. 








The schema has been created in the Database now we can proceed with weblogic installation.


Installing Weblogic

As of now only Oracle Weblogic Server 11gR1 (10.3.6) is supported for deploying OAM 11gR2 PS3. There are some document which says that weblogic 12c is certified with OAM but it simply means that you can protect any application deployed on 12c weblogic server but for OAM deployment you need weblogic 10.3.6. I am using generic weblogic 10.3.6 installer.


Fill the preferred path to Middleware home

Although you can install multiple products on the same Middleware home but it is recommended to use separate Middleware home for different products because when you will be installing second product some of the common file will be overwritten and this may lead to conflict when configuring the domain or upgrading your environment. As this is a test machine, I am going to use the same Middleware home for IDAM products suite but for production it is never recommended.



Select the certified jdk. I have seen some issues due to outdated jdk versions/libraries.



With this the weblogic installation is complete.


Installing OAM

Unzip the binaries and run 'runInstaller' located in Disk1 folder.



Check why prerequisites failed. In my case, I already have higher version of libraries.

Click Continue to proceed.

Specify the middleware home path created while installing weblogic.





With this we are done with OAM installation. Let us check the directory structure created till now.



In the next blog we are going to configure the OAM domain.

Thank you for reading. 
Posted by 3 comments:
Subscribe to: Posts (Atom)