Setup for OBE : Oracle Identity Governance : Integrating Identity Manager and Identity Analytics

System requirements

Oracle Enterprise Linux 5.7

Install Database

  1. Obtain RDBMS 11.2.1.0
  2. Install database software, choosing to install the database software only.
  3. Using NETCA, create a listener on the default port of 1521.
  4. Using DBCA, create a database. Choose the default options, except for the following:
  5. Global database name : orcl
  6. SID : orcl
  7. do not configure Enterprise Manager
  8. Use same administrative password for all accounts : Welcome1
  9. Typical memory : 1536MB
  10. Select "Use Automatic Memory Management"
  11. Character sets : select "AL32UTF8"
  12. At a terminal, start sqlplus as sys and set the following DB parameters:
    $ sys/Welcome1@localhost/orcl as sysdba
    SQL> alter system set session_cached_cursors=100 scope=spfile;
    SQL> alter system set processes=500 scope=spfile;
    SQL> shutdown immediate;
    SQL> startup;
    SQL> alter system set aq_tm_processes=1 scope=both;
    SQL> alter system set db_cache_size=150994944 scope=both;
    SQL> alter system set java_pool_size=125829120 scope=both;
    SQL> alter system set shared_pool_size=183500800 scope=both;
    SQL> alter system set open_cursors=800 scope=both;
    SQL> quit
    $

Run Repository Creation Utility (RCU)

  1. Obtain RCU for Identity Management 11.2.1.0.0 (V37476-01.zip).
  2. Create schemas, choosing the defaults options except for the following:
  3. Host name : localhost
  4. Port : 1521
  5. Service Name : orcl
  6. Username : sys
  7. Password : Welcome1
  8. Create a new Prefix : DEV
  9. Select the components : Oracle Identity Manager (SOA, MDS, OPSS are then also selected as dependencies)
  10. Use same password for all schemas : Welcome1

Install JDK

  1. Obtain JDK jdk-6u43-linux-x64.bin
  2. As the root user:
    mkdir /usr/jdk
    cd /usr/jdk
    /path/to/jdk-6u43-linux-x64.bin
  3. Add the following to the .bash_profile of the oracle user
    JAVA_HOME=/usr/jdk/jdk1.6.0_43
    export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH
    export PATH

Install WebLogic Server 10.3.6

  1. Obtain wls1036_generic.jar
  2. Run the WLS installer (java -jar /path/to/wls1036_generic.jar), choosing the defaults except for the following:
  3. Create a new Middleware Home : /u01/app/Oracle/Middleware
  4. skip security updates
  5. choose the available JDK /usr/jdk/jdk1.6.0_43
  6. Don't run Quickstart

Install SOA Server

  1. Obtain V29672-01
  2. Install into /u01/app/Oracle/Middleware, choosing the defaults except for the following:
  3. skip security updates

Install the Identity and Access Management Suite

  1. Obtain V37472-01
  2. Install into /u01/app/Oracle/Middleware, choosing the defaults except for the following:
  3. skip security updates

Create WebLogic domain

  1. Start the Identity Manager domain creation utility:
    cd /u01/app/Oracle/Middleware/Oracle_IDM1/common/bin
    ./config.sh
  2. Create a domain using the following information:
  3. Create a new WebLogic domain
  4. Select "Oracle Identity Manager". SOA Suite and Enterprise Manager are automatically selected.
  5. Keep the default values of base_domain and the domain locations under /u01/app/Oracle/Middleware/user_projects
  6. Enter Welcome1 for the weblogic admin user password
  7. Select Development Mode, and use the JDK in /usr/jdk/jdk1.6.0_43
  8. Select all schemas and enter the following, leaving the "Schema Owner" field empty:
    DBMS/Service: orcl
    Host Name: localhost
    Port: 1521
    Schema Password: Welcome1
  9. Select Administration Server and Managed Servers for Optional Configuration
  10. Leave Admin Server settings at the default settings
  11. Add a server "oia_server1" listening on port 18201
  12. Leave Configure Cluster settings at the defaults (no clusters)
  13. Leave Configure Machines settings at the defaults (only LocalMachine)
  14. Move all servers to the LocalMachine Machine (click the right arrow to move them all)
  15. Create
  16. Done, to exit the utility

Configure the Security Store

In a terminal window, enter the following:

$ cd oracle_common/common/bin
$ ./wlst.sh /u01/app/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /u01/app/Oracle/Middleware/user_projects/domains/base_domain -m create -c IAM -p Welcome1

The second command is all on the one line. When complete, you should see:

Info: Create operation has completed successfully.

Start AdminServer and SOA managed server

  1. Start the AdminServer. Open a terminal window and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./startWebLogic.sh
    The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>
  2. Start the SOA managed server. Open a terminal window and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./bin/startManagedWebLogic.sh soa_server1
    Enter "weblogic" and "Welcome1" at the username and password prompts.The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>

Patch SOA Server

  1. Obtain patch 16366204. Unpack the patch into a temporary location, e.g. /stage
  2. Stop the SOA managed server. Open a terminal window, and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain
    $ ./bin/stopManagedWebLogic.sh soa_server1
    Enter "weblogic" and "Welcome1" at the username and password prompts.
  3. Run the OPatch utility:
    $ cd /stage/16366204
    $ export ORACLE_HOME=/u01/app/Oracle/Middleware/Oracle_SOA1
    $ $ORACLE_HOME/OPatch/opatch apply
    Respond with "y" for "Do you want to proceed" and "Is the local system ready"
  4. Start the SOA managed server. In the original window where you started the SOA managed server, enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./bin/startManagedWebLogic.sh soa_server1
    Enter "weblogic" and "Welcome1" at the username and password prompts.The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>

Configure Oracle Identity Manager

  1. Start the Oracle Identity Manager configuration utility. In a terminal window, enter:
    $ cd /u01/app/Oracle/Middleware/Oracle_IDM1/bin
    $ ./config.sh
  2. Configure OIM using the following information:
  3. Select OIM Server and OIM Design Console
  4. Connect String: localhost:1521:orcl
    OIM Schema User Name: DEV_OIM
    OIM Schema Password: Welcome1
    MDS Schema User Name: DEV_MDS
    MDS Schema Password: Welcome1
  5. WebLogic Admin Server URL : t3://localhost:7001
    UserName: weblogic
    Password: Welcome1
  6. OIM Administrator Password: Welcome1
    Confirm Password: Welcome1
    OIM HTTP URL: hostname.domain.com:14000
    KeyStore Password: Welcome1
    Confirm KeyStore Password: Welcome1
    Enable LDAP Sync: deselected
  7. OIM Server Hostname: hostname.domain.com
    OIM Server Port: 14000

Stop and Start AdminServer and SOA server

  1. In a terminal window, enter the following:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain
    $ ./bin/stopManagedWebLogic.sh soa_server1
    Enter "weblogic" and "Welcome1" at the username and password prompts.
    $ ./bin/stopWebLogic.sh
  2. Start the Admin Server and SOA Server using the instructions in "Start Admin Server and SOA Server".

Start Oracle Identity Manager

  1. Open a terminal window and enter:
    $ cd /u01/app/Oracle/Middleware/user_projects/domains
    $ ./bin/startManagedWebLogic.sh oimg_server1
    Enter "weblogic" and "Welcome1" at the username and password prompts.The terminal window will not close. Wait till you see:
    <Server started in RUNNING mode>

Create WebLogic client JAR file

Open a terminal window and enter:
$ cd /u01/app/Oracle/Middleware/wlserver_10.3/server/lib
$ java –jar wljarbuilder.jar
$ cp wlfullclient.jar /u01/app/Oracle/Middleware/Oracle_IDM1/designconsole/ext

Deploy Oracle Identity Analytics

  1. Obtain patch 14831724
  2. Create the /u01/app/oia directory and unpack the patch zip file in that directory
    $ mkdir /u01/app/oia
    $ cd /u01/app/oia
    $ unzip /path/to/ p14831724_111150_Generic.zip
  3. Unpack the WAR file to a staging directory
    $ mkdir /u01/app/oia/rbacx
    $ cd /u01/app/oia/rbacx
    $ jar xvf ../rbacx.war
  4. Configure OIA as per the installation instructions:

    That is:
  5. copy over required JAR files
  6. edit log4j.properties file to set log file path)
    (also set DEBUG for iam for easier debugging later)
  7. edit and encrypt conf/jdbc.properties file
    jdbc.url=jdbc:oracle:thin:@localhost:1521:orcl
    jdbc.driverClassName=oracle.jdbc.OracleDriver
    jdbc.username=rbacxservice
    jdbc.password=Welcome1
    To encrypt :
    $ java -jar ../rbacx/WEB-INF/lib/vaau-commons-crypt.jar -encryptProperty -cipherKeyProperties ./cipherKey.properties -propertyFile ./jdbc.properties -propertyName jdbc.password
  8. create schema for OIA
    $ cd /u01/app/oia/db/oracle
    $ . oraenv
    ORACLE_SID = [oracle] ? orcl
    The Oracle base has been set to /u01/app/oracle
    $ sqlplus sys/Welcome1 as sysdba
    SQL> create user rbacxservice identified by Welcome1;
    SQL> @rbacx-11.1.1.5.1_oracle_schema.sql
    SQL> @migrate-rbacx-11.1.1.5.3To11.1.1.5.4-oracle.sql
    SQL> @migrate-rbacx-11.1.1.5.4To11.1.1.5.5-oracle.sql
    SQL> quit
  9. Edit the /u01/app/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh script to add two lines at the start :
    RBACX_HOME=/u01/app/oia
    export RBACX_HOME
    This is required so that OIA can locate its "home" directory for configuration etc.
  10. Create a file /u01/app/oia/rbacx/WEB-INF/weblogic.xml with the contents:
    <?xml version="1.0" encoding="UTF-8"?>
    <weblogic-web-app xmlns=
    xmlns:xsi=
    xsi:schemaLocation="

    <container-descriptor>
    <prefer-application-packages>
    <package-name>javax.wsdl.*</package-name>
    <package-name>com.ibm.wsdl.*</package-name>
    <package-name>org.springframework.*</package-name>
    <package-name>org.aspectj.*</package-name>
    <package-name>org.jdom.*</package-name>
    <package-name>org.codehaus.xfire.*</package-name>
    <package-name>org.jaxen.*</package-name>
    <package-name>org.apache.bcel.*</package-name>
    <package-name>org.apache.commons.*</package-name>
    <package-name>com.ctc.wstx.*</package-name>
    <package-name>org.codehaus.stax2.*</package-name>
    <package-name>org.openspml.*</package-name>
    <package-name>org.quartz.*</package-name>
    </prefer-application-packages>
    </container-descriptor>
    </weblogic-web-app>
    This file tells WebLogic to prefer the Java packages in the WEB-INF directory of the OIA application, preventing class version errors.
  11. Start the OIA managed server. In a new terminal window:
    cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain
    ./bin/startManagedWebLogic.sh oia_server1
    Use weblogic and Welcome1 for the username and password.
  12. Deploy OIA.
  13. Start the WebLogic admin console by accessing
  14. Log in as weblogic/Welcome1
  15. Click Deployments -> Install
  16. Browse to the /u01/app/oia directory, and select the radio button for the rbacx directory entry (we are going to deploy from the directory, not the WAR file). Click Next.
  17. Install this deployment as an application. Click Next.
  18. Select oia_server1, click Next
  19. Under "Source accessibility", select the "I will make the deployment accessible from the following location", and click Next.
  20. Click Finish. Wait for the result, to see if the deployment was successful. If so, click Save.
  21. Once deployed, verify that you can log into OIA. The URL is Log in as the rbacxadmin user (default password is "password"). You will have to change the password at first log in. Change the password to "Welcome1". You will be logged out. Log in with the new password "Welcome1" to verify that it was changed correctly.

Install Oracle Unified Directory

  1. Obtain OUD (V37478-01)
  2. Install OUD, choosing the defaults except for:
  3. Skip Software Updates
  4. OUD Base Location Home : /u01/app/Oracle/Middleware
  5. Create an instance. In a terminal window, start the OUD wizard:
    $ cd /u01/app/Oracle/Middleware/Oracle_OUD1
    $ oud-setup
    Choose the default settings. The password for the Root DN should be Welcome1
  6. Create two Organizational Units in OUD, using the following LDIF file:
    dn: ou=People,dc=example,dc=com
    ou: People
    objectclass: organizationalUnit
    dn: ou=Groups, dc=example,dc=com
    ou: Groups
    objectclass: organizationalUnit
    dn: cn=Portal Users,ou=Groups,dc=example,dc=com
    cn: Portal Users
    objectclass: groupofuniquenames
    dn: cn=Portal Admins,ou=Groups,dc=example,dc=com
    cn: Portal Admins
    objectclass: groupofuniquenames
    And the following commands:
    $ cd /u01/app/Oracle/Middleware/Oracle_OUD1/bin
    $ ./ldapmodify -p 1389 -D "cn=Directory Manager" -w Welcome1 -a -f file.ldif

Seed User Data to Oracle Identity Manager

  1. The OIM URL is Log in as xelsysadm/Welcome1. If this is the first time you are signing in, you will have to set challenge questions and answers. Set them to any value.
  2. Create the following organizations of type Department in OIM : Finance, Engineering, Sales
  3. Create a user PALLEN, first name "Paul", last name "Allen", password "Welcome1", in the Sales organization, as a Full Time Employee.
  4. Using the Bulk Load Utility, seed the following users, specifying the user PALLEN as the user to copy the password from:
    USR_FIRST_NAME,USR_LAST_NAME,MANAGER_NAME,USR_EMAIL,ORG_NAME,USR_LOGIN
    Teena,Semmens,,,Finance,tsemmens
    Aime,McBeth,,,Engineering,amcbeth
    Bettina,MacElwee,pallen,,Sales,bmacelwee
    Trudy,Auerbach,tsemmens,,Finance,tauerbach
    Julieta,Hertzog,pallen,,Sales,jhertzog
    Nancey,Jepson,tsemmens,,Finance,njepson
    Richelle,Amorim,pallen,,Sales,ramorim
    Magdi,Dudas,amcbeth,,Engineering,mdudas
    Manda,Tebbe,amcbeth,,Engineering,mtebbe
    Rosalia,Teerdhala,tsemmens,,Finance,rteerdhala
    Mirelle,Sauve,amcbeth,,Engineering,msauve
    Phillipa,Becker,pallen,,Sales,pbecker
    Dorelia,Bratten,tsemmens,,Finance,dbratten
    Lesly,Aula,amcbeth,,Engineering,laula
    Tom,Thames,pallen,,Sales,tthames
    Clarence,Saladna,tsemmens,,Finance,csaladna
    Geniffer,Galvin,amcbeth,,Engineering,ggalvin
    Constantine,Drenan,pallen,,Sales,cdrenan
    Kenny,Vesterdal,tsemmens,,Finance,kvesterdal
    Dominica,Hilder,amcbeth,,Engineering,dhilder
    Louisa,Schirtzinger,pallen,,Sales,lschirtzinger
    Portia,Bradshaw,tsemmens,,Finance,pbradshaw
    Trey,Spears,amcbeth,,Engineering,tspears
    Jon,Olsen,amcbeth,,Engineering,jolsen
    Kathee,Acklin,pallen,,Sales,kacklin
    Celine,Dayberry,amcbeth,,Engineering,cdayberry
    Merissa,Railey,pallen,,Sales,mrailey

Install Generic LDAP Connector in Oracle Identity Manager

  1. Obtain the OID (Generic LDAP) connector - OID-11.1.1.6.0.zip
  2. Unpack the connector in the /u01/app/Oracle/Middleware/Oracle_IDM1/server/ConnectorDefaultDirectory
  3. Use the Connector Installer in OIM to install the connector. Manage Connectors > Install Connector > select OUD connector > install
  4. Create an IT Resource instance for the OUD server.
    IT Resource Name : Corporate LDAP
    IT Resource Type : LDAP
    baseContexts: "dc=example,dc=com"
    Configuration Lookup: Lookup.LDAP.OUD.Configuration
    credentials: Welcome1
    host: localhost
    port: 1389
    principal: cn=Directory Manager
    ssl: false
  5. Run the "LDAP Connector OU Lookup Reconciliation" scheduled job to pull in the organizational units from OUD. Be sure the change the IT Resource Name field in the scheduled job to "Corporate LDAP".
  6. Run the "LDAP Connector Group Lookup Reconciliation" scheduled job to pull in the groups from OUD.

Create Roles and Access Policies in Oracle Identity Manager

  1. Create two roles in the Identity Self Service Console:
    Portal User
    Portal Administrator
  2. Create two Access Policies in the System Administration Console
  3. Name: Portal User on Corporate LDAP
    Provision: Without Approval
    Retrofit Access Policy: <selected>
    Select Resources to be provisioned: LDAP User
    Server: Corporate LDAP
    Container DN: Corporate LDAP~People
    Set Additional Data : LDAP Group: Corporate LDAP~Portal Users
    Revoke if No Longer Applies : selected
    Roles: Portal User
  4. Name: Portal Administrator on Corporate LDAP
    Provision: Without Approval
    Retrofit Access Policy: <selected>
    Select Resources to be provisioned: LDAP User
    Server: Corporate LDAP
    Container DN: Corporate LDAP~People
    Set Additional Data : LDAP Group: Corporate LDAP~Portal Admins
    Revoke if No Longer Applies : selected
    Roles: Portal Administrator

Assign Roles to Users in Oracle Identity Manager

Using the Identity Self-Service Console, assign the Portal User role to the following users:

Trudy
Nancey
Richelle
Magdi
Manda
Rosalia
Mirelle
Phillipa
Dorelia
Lesly
Tom
Geniffer
Kenny
Dominica
Louisa
Portia
Trey
Jon

Approve the request-level request.

Run the Evaluate User Policies Scheduled Job

Using the Identity System Administration console, run the Evaluate User Policies scheduled job, to force the provisioning of accounts on OUD.

Verify Provisioning of Accounts in Oracle Unified Directory

In a terminal window, execute the following commands:

$ cd /u01/app/Oracle/Middleware/Oracle_OUD1/bin
$ ./ldapsearch -p 1389 -D "cn=Directory Manager" -w Welcome1 -b "dc=example,dc=com" "cn=Portal Users"

The output should be:

dn: cn=Portal Users,ou=Groups,dc=example,dc=com
uniqueMember: uid=MTEBBE,ou=People,dc=example,dc=com
uniqueMember: uid=MSAUVE,ou=People,dc=example,dc=com
uniqueMember: uid=LSCHIRTZINGER,ou=People,dc=example,dc=com
uniqueMember: uid=TSPEARS,ou=People,dc=example,dc=com
uniqueMember: uid=LAULA,ou=People,dc=example,dc=com
uniqueMember: uid=GGALVIN,ou=People,dc=example,dc=com
uniqueMember: uid=PBECKER,ou=People,dc=example,dc=com
uniqueMember: uid=MDUDAS,ou=People,dc=example,dc=com
uniqueMember: uid=TTHAMES,ou=People,dc=example,dc=com
uniqueMember: uid=KVESTERDAL,ou=People,dc=example,dc=com
uniqueMember: uid=DHILDER,ou=People,dc=example,dc=com
uniqueMember: uid=DBRATTEN,ou=People,dc=example,dc=com
uniqueMember: uid=TAUERBACH,ou=People,dc=example,dc=com
uniqueMember: uid=RTEERDHALA,ou=People,dc=example,dc=com
uniqueMember: uid=PBRADSHAW,ou=People,dc=example,dc=com
uniqueMember: uid=RAMORIM,ou=People,dc=example,dc=com
uniqueMember: uid=JOLSEN,ou=People,dc=example,dc=com
cn: Portal Users
objectClass: groupofuniquenames
objectClass: top

Optional steps

  1. Copy the boot.properties file from the Admin Server to the managed server instances, so that a password is not required when starting/stopping each managed server
    $ cd /u01/app/Oracle/Middleware/user_projects/domains/base_domain/servers
    $ mkdir oia_server1/security
    $ mkdir oim_server1/security
    $ mkdir soa_server1/security
    $ cp AdminServer/security/boot.properties oia_server1/security
    $ cp AdminServer/security/boot.properties oim_server1/security
    $ cp AdminServer/security/boot.properties soa_server1/security
  2. Create desktop shortcuts for stopping and starting the weblogic server instances.