Oracle Identity & Access Management (R2 PS2) Installation (OIM & OAM)

This is a walkthrough of Oracle Access Manager and Oracle Identity Manager along with configuration explanations and tips, including NodeManager settings.

http://idm.guru

---

Closed Caption:

hello everybody this is alex dancer with
IDM guru and this video we're going to
walk through an installation of oracle
ex-manager an oracle identity manager
and we're going to be doing them
together because they come in the same
is taller so before i start any
installation I usually like to have the
Oracle documentation up as a reference
they have a very nice roadmap for the
installation which is nice to follow so
I'm going to pull that up as well as
some of the release notes so you go to
the download section on or calm under
identity and access management and then
go to the documentation tab and in here
we're going to be doing this release are
2 ps2 so in this documentation library
there's two documents that are going to
be referenced by me today
first is the release notes and then the
second is the installation guide now you
always want to take a look through the
release notes because they often have
critical information that you have to
perform on an install and if you missed
out on this you could give yourself a
lot of child trouble trouble later okay
so in the actual installation doc under
configuring oracle identity manager most
of these docs have this section where it
says installation and configuration
roadmap want to look without roadmap
word there because it gives you this
very nice tit table with the very
high-level steps that you need to do for
example run yours
you must also install getting access
management etc etc so before we begin I
just want to point out to two things
that I noticed in the release notes that
we're going to have to take into account
first under installation and
configuration issues there's this piece
right here
no that's not it it's the section here
mandatory steps after complaining and
OEM or I am install you have to edit the
gps config file and change one of these
tags so we're going to keep this up for
when we have to do that step and the
other piece that we have to do is
related to sew on patches let me see if
i can find that right here mandatory
patch is required for installing oim and
it's basically telling us that in the OM
installation there's a file which
contains a bunch of sew on patches that
we need to apply after install so on
ok so let me put this away for now and
go into my machine here so I have a box
in the cloud that I've set up demoed IDM
guru and on this box I have the oracle
database already installed and I have a
fusion middleware folder that has a
bunch of installation media now I've
used this image before so you'll see a
bunch of other stuff on here that we're
not going to use so the first thing i
want to do is just start the database
and I have a little script here to do
just that and while that's coming up
let's look through our roadmap to see
what we got to do first
so obviously first thing we are going to
run the RCU and then install weblogic
and then install so and i am so these
installers require the X Windows system
so you can either use the next
compatible terminal application like
putty with x-wing or do it right in if
you're doing OSX you can do it right
through here with ex-manager i
personally like to just use a VNC server
on the box and just use a VNC client to
connect to it so as soon as the database
starts up i'm going to start the VNC
server and go into there
ok so our databases up going to start a
VNC server on port 14 display when I
should say and let's connect to it i
have chicken of the BNC as my client
ok then we'll open up a terminal here
and get right into the RCO my installers
for our 2 ps2 or in this folder and I
have all of them already unzipped and
ready to go
identity access management to have an
oud installer the RCU so on and some
updates so let's go into the RCO before
I start I just want to show that i have
a couple of environment variables
already set so i have java installed in
my fusion middleware home
this is a cheeky 1.6 now when I talk
about the middleware home it's this
directory here
fmw fusion middleware and that's where
we're going to install absolutely
everything so I have a variable called
our home which is set to fw and we're
going to be using this later
some of these installers require you
passing argument to wear java is located
i'm not sure if the RCU does though
we'll find out in a second
they were good so on the RCO here what
we're doing is creating all the database
objects that are going to be used by the
installers I'm sorry about the product
once to buy the products wondering once
they're installed we're going to create
we're going to select our database host
name is the closed 1521 or CL this is
something that i previously set up this
3 and the role as a sis ta this is just
to connect to the database RCU is going
to do a couple checks now you might see
me interrupt the recording from time to
time if something's gonna take a while
and I just pause it and resume it once a
particular step is completed
ok so scheme a prefix as soon as we
install our first one is we select one
its components so for example an
identity management we're going to want
to install identity manager and access
manager down here and you noticed as
soon as you select these it will
automatically select any other required
schemas and the prefix essentially
change it you will see that the actual
schemes that will it will create also
change so the reason for this is that
sometimes you might want to put one or
more install installations on one
database so you can separate the map by
changing the prefix so you could do a
dev for development and you can do a TS
d for testing environment and so on
alright i'm going to use the same
password for all of these going to keep
that the same
ok ok so
have our table species created we can
just say create and it'll do the actual
schemas and it's going to take awhile
ok so now the RC is completed we have
our scheme is ready and we can continue
with the installation
so the next step is to install weblogic
in just for validation we can check our
roadmap RCU weblogic and
weblogic mostly comes as a as a runnable
jar file and if you are running this on
a 64-bit system you want to do this
d 64 parameter
alright and the weblogic installer is
actually pretty straightforward you can
more or less next your way through it
i'm going to set the middle/middle we're
home directory is MW this is where we're
going to put everything and obviously
create a new middleware home this is
your only option at this point my
complaint here that i already have some
files in there and I'm going to just say
yes continue do not wish to receive yes
I'm sure it next anyway
yes I'm sure yes
I wish to remain informed continue Wow
going to just choose typical it detected
rj decay installation next next next
pretty straightforward
and this can
logic installation we do not want to run
quick start I'm just going to close that
out so let's go check our roadmap see
where we are we have logic next we
should install the solar suit
sweet ok then go back to my installation
directory and i'm going to do a run
installer and pass the GRE location w
jdk
ok the actual product installations are
very very straightforward literally just
next next next we're going to keep the
middleware home as we've what we've
probably previously configured and the
home directory is where the product is
actually going to get installed
this actually talk about
10 minutes on my into complete deposit
in the middle
this is now done we can move on with our
installation
I like this . to do the soul patches
since where you're just install it since
we just installed so i might as well do
the patch is required for it now we
talked about this earlier in the release
notes there's this section mentor
patches and talk about this file that's
in the identity and access management
installing install folder and they tell
us how to install it so let's go ahead
and do that i'm going to switch to my I
identity and access management
installation and disqualify we should
see that zip file
yep there it is I'm going to unzip it
ok
and I believe what we have to do is run
opatch and apply but that's not going to
work because opatch is done in the path
so we need to add it to the path now
opatch I know for just from a previous
experience that it's inside the so
installation which is here and there's a
pet so we need to add that path to our
path so let's just reset it
export path equals paste and dollar path
so if we were no patch it resolves we
can doooo patch and apply oracle home
fusion middleware oracle scala so we're
basically saying oh patch and applies to
apply a bunch of patches at the same
time and we're telling it that the
Oracle home is the so installation that
we just did
the patch kinda just goes through
installed everything on its own and I'll
tell you or patch succeeded at the end
so now we have so installed we can go
ahead and continue with the identity
access management suite so i'm reading
the installation directory and we run
the installer again i'm going to pass
the GRE location
and this is gonna be the same as so I
pretty much just next just that next
next next keep the default and we'll
pause and resume once it's ready
ok and
were completed so all I am an oem have
been installed next step in the process
is to configure the domain and let's
just take a quick look at our roadmap so
when start so i installed in a row i am
and now we have to run the middleware
configuration utility now at this point
all that we have on our web server
I'm sorry on our server here is the
plane binary is installed so we have
weblogic saw in om OM but they're not
actually in a vulnerable state only the
binary Tsar there in the right file
locations when we installed weblogic it
created this fancy directory structure
here with a bunch of directories in it
but there's nothing actually runnable at
the moment except perhaps no manager so
we have to create a domain first in
order to get an admin server and all
that stuff so let's do that now there's
a couple places where you can launch the
middleware domain configuration I prefer
to do it from oracle common common then
you just run configured Sh
so we're going to do create a new domain
and here we have to spend
what components we have we want to add
to this domain so we're going to add
oracle identity manager and oracle
access manager and it will automatically
select any other requirements
I like to rename my domains to IDM
domain or something else more descript
but I'm going to keep the default
locations for the application domain
folders
this is our weblogic user and here
development production mode you can stay
with development for for now and use
production when you are actually in
production
this change is that the way you have to
start things up and the use of password
or boot up properties file and a couple
of other things
ok in this green we have to give the
connection information for all of the
required schemas that we select it sold
in the first screen where we selected
OEM and odm and some of the other
components that are automatically
selected all of those components have
scheme is associated with them and those
were listed in this screen here so now
we have to provide the configuration
tool the connection information for
those schemas and we created those
skimmers in our first step using the RC
utility so for all of these we have to
specify the service name hosting port
etc etc and you can do them all at the
same time you should select them all now
one thing to note here be very careful
not to even enter into this field
because as soon as you type something
it changes it all changes all of them so
this column that scheme owners doing one
that's unique for each one of them so if
you type something in here in this
scheme owner text field it will
overwrite all of these and then you'll
have to go figure out what they were and
look them up somewhere
now when I created the scheme as I use
the same password for all of them so i'm
entering that password now or CL is the
service name that I had my database and
the hosting i'm going to enter a local
house
port is the same and we're not doing
anything with the rack so I leave those
blank so everything tests ok and we can
move on and on this screen you can go up
you can go in and configure more things
in more detail
you don't have to any other changes that
you can make by selecting these
checkboxes you can do later through the
admin console but one thing that I like
to do is just to configure the machine
so I'm going to just select that if
you're doing a clustered in your a
cluster installation you could add more
service through here but we're not doing
that now it's going to go through and no
cluster and under machines
that's fine i only what I want machine
but i should be able to assign them here
we go
i'm going to select these managed
servers and assign them to the local
machine it already did so for some
reason we're going to have four managed
servers that are associated with the
local machine now the local machine is
really a representation of an instance
of node manager running some known
manager is kind of an agent that runs on
a physical box and it allows the admin
server to control managed servers that
run on that box and this is helpful for
starting and stopping managed servers
through the web console and here which
is it great i'm going to hit done here
and let's go check our roadmap we've
done this and now we have to upgrade the
opss schema I believe this is done just
by running the match centre system tool
but let's take a quick look up so we go
to middleware home
oracle comment and run the PSA
welcome
come ok so the
upgrade here is opss which is oracle
platform security services
I'm just going to click that i'm going
to say yes databases backed up yes it's
verified and enter in my connection
information localhost 1521 or CL says as
DBA password had connect and it detected
my schemas now I just have to enter the
password for that schema
that's it pretty easy moving on we have
to configure the database security store
so let's take a quick look at what this
step entails now in the documentation
they give you some overview on the tool
they tell you how to run your windows
linux some of the parameters blah blah
blah and four brand new install we're
going to do a create and here are some
sample commands that are more or less
ready to go so on unix we would do
something like this
wsd and then configure the configure
security store that PI dash D for the
domain directory and then SC and a
password and then create already have
this command typed out so i have it
ready to go here so as you can see wst
is here and this is a logic scripting
tool and we're passing in this python
script or jason j on script actually and
i'm passing in the domain home a
password and create and I should have
domain home variable set now my VNC
client won't allow me to copy paste into
it so i'm going to have to do it from my
own terminal here and I just want to
verify domain home CD domain home anyway
are so i can pretty much just take this
command copy and paste
ok this friend successfully so
the next step in the roadmap talks about
starting the servers and going to have
its installation but there is one thing
that we got to do with that it's only
mentioned in the release notes so let me
go back to my release notes here and
here in section 2.3 2.4 we have this GPS
configuration that we need to do so they
want us to edit the cheapest config file
and find this element and replace it
with this piece right here so gps
configures inside the middle main home
configure metalwork pic so let's go to
that directory now i am already in my
domain home you can always recognize the
main home because you'll have a server's
directory you'll have started logic and
it'll be inside user projects domains
and in your domain name so in here we
have complete folder and inside here we
have a fusion middleware config MW
config ok and here we have a gps config
file we go here so let's edit that okay
so we're looking for service instance PP
. service so let's do a quick search for
PDP . service when it /or search PDP .
service
ok so that doesn't really look like our
stuff like what we're looking for and
hit and for next
there we go that looks better
ok and they want us to delete two
entries and add one entry and the Attic
the Edit final xml must look like the
following so I'm just going to grab this
whole piece copy it
I'm gonna paste it into here temporarily
just to make sure that it's okay maybe
cleaning up a little bit okay i'm going
to grab this whole block and go over
here and i'm going to hit shift
Oh uppercase O to insert a line above an
escape going down to this line its 02
insert a line below escape again this
will just give me a little visual
separation of the block that i'm editing
and then for each one of these lines i'm
going to head d double D so DeeDee will
delete the line
DD DD DD DD
and now we just go to one of these lines
we had insert and just paste ok and
that's fine
now we do shift Golan right quit enter
and that's it so that take
this requirement and now we can go ahead
and move on so they want us to start to
servers and configure all I am ok so for
this we need to start the admin server
and the solar server those are the two
required managed service then you can be
running for the OEM configuration to
happen
let's start the admin server first thing
we want to do is go to our domain home
and in here you'll see a file called our
script called start with logic
now if you just run the script by itself
start weblogic it's going to run in your
terminal so now weblogic is running in
here we can see all its output but your
terminal is pretty much tied up it will
not return you a prompt until weblogic
shuts down so we don't really want that
i'm going to kill it and i'm going to
start it in the background with no hop
and now no hot basically runs that
command in the background and sends any
output deck command would generate and
saves it to a file called no help that
out so i'm going to know hop start what
logic and then also ampersand for it to
go to the background so now everything
that out all these all these output is
going to this no no helped out so i'm
going to tell that file tell the chef
you hopped out and we can watch it
startup and now if we just do ctrl c
where basic we're really just killing no
hop
I'm sorry we're killing the tail program
no help will continue to run in the
background and we're not affecting the
startup of admin server
so r
now running i can get out of this file
and we can start the server now before I
do that I want to log into the admin
console and just take a look there and
get demoed idea that grew 7001 / console
login with our weblogic user
and in here we're going to go to
environment servers you can also get it
from here and there's a couple of ways
you can start these servers might want
to try from control so a server but it's
not going to work because in order for
this to work the admin console will try
to contact the node manager associated
with this registered machine and tell
node manager that hey please start the
so server and the alternative is to
start the server from the command line
but then we'd have to do another no hub
and that's usually not a preferred
method i usually like to set up your
manager so i can start and stop
everything from the admin console that's
pretty easy to do we just have to start
node manager and set up a configuration
for it real quick so let's uh let's do
that so node manager resides in the WL
server underscore 10.3 and here we can
go to server bin and we should see the
start no manager command before we can
edit its properties files we have to
just start at one time for it to
generate those files so I'm just going
to start your manager let it start up
okay as soon as we see the 556 port we
know it's running so I'm going to
control C and kill it and let's go
configure it configuration property is
under common node manager and it's this
node manager that properties file so i'm
going to edit that and there's two
things that we need to change here
there's two parameters start script
enabled and stop script enabled and we
want to set both of those two true
that's it
and now we want to start no manager up
again and this time we want to start
with no hop as well so our console is a
car terminal screen up
and we can just verify real quick that's
okay no hopped out and we can see it's
listening on port 55 56
now we can go into the admin console
here and try that operation again so
under control so a server start and
perfect that seemed to work can see that
it's starting
we can hit this guy so it'll refresh
status but an alternate alternative
method is to just watch its log until it
says running so let's try to do that the
log files are located in the domain home
under servers and then the server name
and the logs
let's go to the domain home and then
like I said there's a server's directory
in here and we should see a list of
every admin server I'm sorry every
managed server that's been started
so notice that here we have an oem
server and no I'm server but they're not
listed here they won't get created until
they start for the first time if we go
into the source / one you see the logs
directory and in here we see the zero so
everyone that out which retail this file
we can see all everything that it's
doing as it comes up i'm just going to
let this come up
ok so now so our servers in running mode
you can see the status also updated here
and this is all you need to have running
in order to configure I am so let's
start the RM configuration and by the
way just for reference were on this step
right here so the only in configuration
is under the Oracle home for all I am
which is oracle what's medium one and
been configured SH now i just realized
that this isn't going to work for me
the configuration utility requires
windows system an x window system so
this is going to fail i need to do it
from within my BNC connection so again
let's go to ATM been intrigued Sh
ok the only configuration is more or
less straightforward there's a couple
questions that we have to answer but
overall the process is pretty pretty
easy
we want to configure the IM server and
we're also going to configure a design
console so select that in this step we
have to provide with the database
details so follow this information down
here for how to format the connection
string so its host colon port colon
service name to host into anyone or CL
the schema username is the ones that we
created through the RCO so this is going
to have all i am and the MDS camera is
also dev underscore MDS
now once the weblogic connection so i'm
going to say localhost 7001 usernames
weblogic guide him and here we can
specify what possibly want for the
exhale sis ATM account which is the
master master system admin user know em
and this values can be the same
if you're using load balancer this is
where you would put in your load
balanced URL we're going to disable all
apps think you can always enable that
later we're not doing that today and
again it keeps asking us for more of
what seems to be the same information
this screen is what configures design
console so demoed idea that Guerrero
18,000 and configure once the its
successful all we need to do is restart
everything and we're done so let's go to
our web logic admin console going to
select everything shut down
let's go to our domain home and prepare
to start everything back up here we can
see we've got a console message that our
original Star weblogic script has
finished so we know that
weblogic is down and we can start again
no hop start weblogic & % and i'm just
going to pause the recording and let it
run
admin server is back up so let's log
into the console and start the other
servers now I'm not going to start so up
because we're not going to really need
it right now we're not going to be doing
anything with approvals or workflows so
it won't impact om just starting up and
I'll slogan into the console just to see
that it's up and running so we can skip
that just for a quick mistake i'm only
going to start
oh I'm server and OEM server
so while these guys are starting i'm
going to just try to login to the oam
console now the OEM console runs off of
Port 7001 which as you can see in our
list of servers 7001 is associated with
the admin server so this is not really
an indication that the OEM server is up
just because we can log into the OEM
console does not mean that our OEM
servers are running
instead of one way to determine that the
oil server is actually up is to go to
the OEM server port which again looking
up the list of servers here
om is running on 14 100 so if you go to
that port and go to om server / logout
this will show a logout screen once the
server is up and running so this is what
i usually test to make sure that no a.m.
service responsive and is ok once the
server's up and running we can test that
and that page should work ok so we have
a why I'm running on an oem running
let's check out am real quick by hitting
this logout URL again and there we go
because this is running right off of 14
100 we know that it's hitting a page on
that server so even though it's a log
out page it still shows us that the
server is up and running and let's also
just quickly verify that all I am is up
so that's one 14,000 / identity here we
go
exhales to see them again lab 123
and we might see a double login screen
at this point
yeah so what happened here is because we
installed both women i am at the same
time
om installs and agent a weblogic agent
to a web gate and it protects oh I am as
well so here we can just type in
weblogic real quick and now we're back
inside i am i'll show you how to disable
that in a minute but out clearly we can
see that I'm is working responding to
the challenge questions and here we are
we can see the OEM home screen now to
get rid of that up double login issue if
you go into the weblogic admin console
you can go to security realms I lost my
session there so go into security realms
my realm go to providers and it's this
guy here i am sweet agent you can delete
him and that will get rid of that double
web key most of the times i don't use
that in most cases if people want to
protect the / identity or / own console
most places most companies will use a
reverse proxy and they'll protect the
OHS server that's serving that reverse
proxy instead of using the IM sweet
agent so in order to see this affect you
would have to bounce everything and try
it again but for now we know that our
installation is complete we have all I
am working we have OEM working and that
completes this video thanks for watching