Oracle OAM (11.1.2.3) Installation

INTRODUCTION

In this blog, we are going to install and configure an Oracle Access Manager (11.1.2.3) Domain. Together with the installation of the Oracle OID, found elsewhere on the site, we are going to show how Authentication and Authorization works within the Oracle Fusion Middleware Stack. Finally, we will hook up the OAM server to a Windows 2012 AD, and show you how Single Sign On is configured.
But first, let’s install Oracle Access Manager.

Software used

I have used 2 Oracle Linux 6.4 servers for the installation. 1 is running a Oracle 12c database for the schema’s that you can install with RCU.  With RCU, make sure you create the following schema’s (Selecting Oracle Access Manager will auto-select the dependencies):

The other Linux server will be running the OAM installation. The software used for the OAM installation is from the Oracle Identity and Access Management Deployment Repository 11.1.2.3.0, which you can download from the Oracle Software Delivery Cloud This Repository contains the whole Identity and Access Management stack, including Weblogic and RCU. We will be installing the OAM as the oraoas user.
The example installation will use the following settings:
 The middleware home will be created in /w001/app/mwhome_oam
 The ORACLE_HOME  will be created in /w001/app/mwhome_oam/Oracle_IAM1
 The domain will be created in /w001/app/domains/oam_domain
 We have a jdk home (version 1.7) installed in /w001/app/jdk

 Note on that last one …. I always use this as my JAVA_HOME. It has a few advantages. First of all it is located out of any middlware configuration directories. It’s stand-alone, so to speak, so it can be used by multiple (weblogic) installations. But more important: I do not use any version numbers in the location. Weblogic uses this path in several start and configuration scripts when installing the product files. When an upgrade of the jdk is at hand, you simply put aside the /w001/app/jdk folder and replace it with the new jdk and boot up your weblogic servers with the new version. You could even work with softlinks. 

Weblogic Installation

Start the weblogic installation by running
java –jar wls_generic.jar
This jar is found in the installers/weblogic directory of the unpacked repository.
You can follow the installation instructions in the weblogic installation part of http://cinqtalk.blogspot.nl/2015/07/oracle-oid-11119-with-odipodsm.html
Make sure you create the middleware home in /w001/app/mwhome_oam

Oracle OAM Installation

Run the intaller with the following command
<software_repository>/Disk1/runInstaller
The installer will ask where the JDK is located. Enter /w001/app/jdk and press enter:
Please specify JRE/JDK location ( Ex. /home/jre ), <location>/bin/java should exist :/w001/app/jdk
The Inventory Directory screen appears. Enter /w001/app/oraInventory

Next, the Welcom screen appears

In the next screen, select the oam middleware home we created during the weblogic installation and enter Oracle_IAM1 as the ORACLE_HOME directory

Verify the installation summary and click Install

Watch the installation progress and press Next

Press Finish at the end of the installation

Domain Creation

We are going to create an OAM Domain by running the config.sh from the Oracle Home:
/w001/app/mwhome_oam/Oracle_IAM1/common/bin/config.sh
This will open the Welcome Screen where we will choose te create a new Weblogic Domain.


In the next screen, select the Oracle Access Management and Mobile Security Suite. This will automatically select the Enterprise Manager.

Enter a password for the weblogic user

In the next screen, enter the users, passwords and other connection details for the database components

Verify all connections

In the next screen, select to configure the Admin Server, Managed Servers and Clusters and to review the deployments

Enter the listen address and port number for the admin server

In the next screen, review the managed server settings. There are three managed servers installed per default. For this example we are going to use only the oam server. Accept the default settings for now. We can adjust them later.

Create three clusters

And assign the managed servers to them

Create a Machine so that the nodemanager can manage the managed servers
As this oam server is running on the same server as the oid that we created in a different post, we will use the same nodemanager running on port 7020.

Assign the managed servers and the admin server to the Machine

In the next screen, verify that the deployments are targeted to the clusters and not the managed servers

Also verify this for the jdbc resources

Choose create after a final verification

And press Done as the domain creation has ended

Security Configuration

Before starting the domain we first have to set up the security configuration.
This is done by running the following command
/w001/app/mwhome_oam/oracle_common/common/bin/wlst.sh /w001/app/mwhome_oam/Oracle_IAM1/common/tools/configureSecurityStore.py -d /w001/app/domains/oam_domain -c IAM -p qwer1234 -m create Now, you can start the Admin Server, hook up the nodemanager to the domain with nmEnroll and start the oam managed server.

 

Additional Configuration

Since we are running the oam server on the same server as the OID, we can use the OHS Http server on port 80 to route requests to the oam managed server.
For this I have created 2 virtual hosts, each in a separate configuration file, which I include in the httpd.conf:
# Named Virtual Host Definition for the OAM en IDM Managed Servers
NameVirtualHost *:80
include /w001/app/instances/oidinst_1/config/OHS/ohs1/oam1.cinqict.local.conf
include /w001/app/instances/oidinst_1/config/OHS/ohs1/oid1.cinqict.local.conf   The virtual host configuration files:   oam1.cinqict.local.conf <VirtualHost *:80>
ServerName oam1.cinqict.local:80
ServerAlias oam.acceptatie
ErrorLog "|${ORACLE_HOME}/ohs/bin/rotatelogs ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/error_oam_log 43200"
CustomLog "|${ORACLE_HOME}/ohs/bin/rotatelogs ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/access_oam_log 43200" common
<IfModule ossl_module>
SSLEngine off
</IfModule>
<IfModule weblogic_module>
MatchExpression /oam
WebLogicCluster oam1.cinqict.local:8024
DynamicServerList On
DebugConfigInfo On
Idempotent On
</IfModule>
</VirtualHost> oid1.cinqict.local.conf <VirtualHost *:80>
ServerName oid1.cinqict.local:80
ServerAlias idm.acceptatie
ErrorLog "|${ORACLE_HOME}/ohs/bin/rotatelogs ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/error_idm_log 43200"
CustomLog "|${ORACLE_HOME}/ohs/bin/rotatelogs ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/access_idm_log 43200" common
<IfModule ossl_module>
SSLEngine off
</IfModule>
<IfModule weblogic_module>
MatchExpression /odsm
WebLogicCluster oid1.cinqict.local:7024
DynamicServerList On
DebugConfigInfo On
Idempotent On
</IfModule>
</VirtualHost>   As you can see, the virtual host for oam routes the requests to port 8024. So we will adjust the managed server to run on 8024. We also need to adjust this port in the server configuration in the oam console: From now on we want to login url to go through the OHS Http server. This might even be mandatory in some environments, where only port 80, and some other known ports, are allowed by firewalls. So, adjust the OAM Server Host en Port to use the Virtual Host name and port 80, configured in the Access Manager Settings
For the same reason, adjust the CLUSTER Frontend host and port in the Admin Console for the OAM Cluster

Finally, reboot the admin server and the oam managed server.
When the servers are back up, open the oamconsole in a browser by entering the admin server address and port , followed by /oamconsole
http://oam1.cinqict.local:8021/oamconsole
Note now, that the oamconsole application will route you to the oam server to enter your credentials. The url that is used, is the url of the virtual host on port 80, instead of the default managed server port 14100