Evaluated Configuration Guide for Oracle Identity Manager ...€¦ · 14/12/2011 · Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December

Evaluation of Oracle Identity Manager

Evaluated Configuration Guide for Oracle Identity

Manager 10g (9.1.0.2)

Issue : 1.0

Date : 14 December 2011

Status : Definitive

Distribution : OIM Evaluation Team

Prepared by : Hugh Griffin, Mike McCormack

.......................................

Reviewed by : Hugh Griffin

.......................................

Authorised by : Petra Manche

.......................................

Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0

14 December 2011

Page 2 of 113

========================================================

Evaluated Configuration Guide for Oracle Identity Manager 10g (9.1.0.2)

December 2012

Author: Hugh Griffin

Contributor: Mike McCormack

Copyright © 2011, Oracle Corporation. All rights reserved. This documentation contains

proprietary information of Oracle Corporation; it is protected by copyright law. Reverse

engineering of the software is prohibited. If this documentation is delivered to a U.S.

Government Agency of the Department of Defense, then it is delivered with Restricted Rights

and the following legend is applicable:

RESTRICTED RIGHTS LEGEND

Use, duplication or disclosure by the Government is subject to restrictions as set forth in

subparagraph (c)(1)(ii) of DFARS 252.227-7013, Rights in Technical Data and Computer

Software (October 1988).

Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.

The information in this document is subject to change without notice. If you find any problems

in the documentation, please report them to us in writing.

Oracle Corporation does not warrant that this document is error free.

Oracle is a registered trademark and Oracle Business Intelligence 10g are trademarks or

registered trademarks of Oracle Corporation. Other names may be trademarks of their

respective owners.

========================================================

Document History

Version Date Notes

0.1 March 2011 Initial formal release

0.2 June 2011 Release after re-install

0.3 November 2011 Post-evaluation updates

1.0 December 2011 Minor formatting updates

Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011

Page 3 of 113

Table Of Contents

1 Introduction ........................................................................................................ 6 1.1 Purpose ........................................................................................................................... 6 1.2 Intended Audience .......................................................................................................... 6 1.3 Evaluated Configuration Guide Overview ....................................................................... 6 1.4 Document Structure ........................................................................................................ 7 1.5 Format ............................................................................................................................. 8

2 Preparation ......................................................................................................... 9 2.1 Machine Configuration .................................................................................................... 9 2.2 Physical Environmental Assumptions ...........................................................................11 2.3 Electronic Delivery of the TOE ......................................................................................11 2.4 Physical Delivery of the TOE ........................................................................................12

3 Installation ........................................................................................................ 14 3.1 Oracle Identity Management Installation Order ............................................................14 3.2 Start up and Shutdown procedure ................................................................................15

Annex A TOE Components ............................................................................................. 16 A.1 Oracle Identity Management Server .............................................................................16 A.2 Supporting components for TOE testing ......................................................................16

Annex B Server Start up and Shutdown Procedures .................................................... 17 B.1 Start order .....................................................................................................................17 B.2 OIM Server ....................................................................................................................17 B.3 Database Server ...........................................................................................................18 B.4 Internet Directory Server ...............................................................................................19

Annex C Install Red Hat Linux 4 Update 5 x86_64 for OIM server ............................... 20 C.1 Install the Operating System .........................................................................................20 C.2 Patch the Operating System .........................................................................................20 C.3 Configure the Operating System ..................................................................................20 C.4 Install Java ....................................................................................................................22

Annex D OIM Server Installation .................................................................................... 23 D.1 Install the Oracle Application Server.............................................................................23 D.2 Upgrade the Oracle Application Server ........................................................................25 D.3 Create OC4J Instance for OIM .....................................................................................26 D.4 Apply Oracle Application Server CPU Patch ................................................................27 D.5 Configure RMI Settings .................................................................................................28 D.6 Install Oracle Database for OIM ...................................................................................28 D.7 Install Oracle Database Patchset .................................................................................30 D.8 Create Listener for OIM Database ................................................................................31 D.9 Create Database Instance for OIM Database ..............................................................31 D.10 Prepare Database Instance for OIM Installation ...........................................................33 D.11 Install Oracle Identity Manager .....................................................................................34 D.12 Upgrade OIM from 9.1.0.1 to 9.1.0.2 ............................................................................36 D.13 Post OIM Installation Configuration ..............................................................................40

Annex E Install Identity Management & Metadata Repository on OID Server ............. 43 E.1 Install the Operating System .........................................................................................43 E.2 Patch the Operating System .........................................................................................43 E.3 Configure the Operating System ..................................................................................43 E.4 Install the Identity Management & Metadata Repository ..............................................45


14 December 2011

Page 4 of 113

E.5 Configure the OID Infrastructure ...................................................................................47

Annex F Oracle Database Server ................................................................................... 52 F.1 Install the Operating System .........................................................................................52 F.2 Patch the Operating System .........................................................................................52 F.3 Configure the Operating System ..................................................................................52 F.4 Install the Oracle Database Server ...............................................................................54 F.5 Create Listener for odb Database .................................................................................56 F.6 Create a Database Instance .........................................................................................57 F.7 Secure Database ..........................................................................................................59

Annex G Recommendations for OIM Secure Audit Administration ............................. 61

Annex H Perform Hardening of the TOE and Environment .......................................... 67 H.1 Administration Client Configuration ..............................................................................67 H.2 User Client Configuration ..............................................................................................68 H.3 Configure SSL for User and Admin Console ................................................................68 H.4 Install the Design Console with SSL enabled ...............................................................72 H.5 Enable the Firewall .......................................................................................................76 H.6 Configure OIM Security settings ...................................................................................77 H.7 Configure OIM Password policy ...................................................................................78 H.8 Configure Attestation Scheduled task...........................................................................81

Annex I Oracle Identity Management Connectors ....................................................... 83 I.1 Install the Database Connector ....................................................................................83 I.2 Install the Oracle Internet Directory Connector ............................................................87

Annex J Configure Database and Internet Directory Connectors ............................... 91 J.1 Database Connector Configuration ..............................................................................91 J.2 Configure Database Provisioning Test data .................................................................91 J.3 Oracle Internet Directory Connector Configuration ....................................................102

Annex K Guidance for Secure Administration ............................................................ 108 K.1 Web Browsing and OIM access ..................................................................................108 K.2 Creating or updating an administrative group within OIM...........................................108 K.3 Updating menu items within OIM ................................................................................108 K.4 Ensuring secure Approval process for OIM Access Policies .....................................108 K.5 Enabling secure Self-Registration for OIM .................................................................109 K.6 Configuration for IT Resources ...................................................................................111 K.7 Configuration for User Provisioning Requests ............................................................111 K.8 Directly Provisioning users .........................................................................................112 K.9 Granting the admin privilege to directly provision users .............................................112

Annex L References ...................................................................................................... 113


Page 5 of 113

Abbreviations

CC Common Criteria

CEM Common Evaluation Methodology

CI Configuration Item

EAL Evaluation Assurance Level

ECG Evaluated Configuration Guide

ETR Evaluation Technical Report

ISO International Standards Organisation

IT Information Technology

OR Observation Report

OSP Organisational Security Policy

PP Protection Profile

SAR Security Assurance Requirement

SFP Security Function Policy

SFR Security Functional Requirement

ST Security Target

TOE Target of Evaluation

TSF TOE Security Functionality

TSFI TSF Interface

URL Universal Resource Locator


14 December 2011

Page 6 of 113

1 Introduction

1.1 Purpose

This document is the Evaluated Configuration Guide (ECG) for Oracle Identity

Manager 10g (9.1.0.2).

Title: Evaluated Configuration Guide for Oracle Identity Manager 10g

(9.1.0.2)

Target of Evaluation (TOE): Oracle Identity Manager 10g (9.1.0.2)

Release: 9.1.0.2

Connectors: Oracle Database User Management Connector – 9.0.4.5;

Oracle Internet Directory Connector – 9.0.4.5.

The connectors are installed as part of Oracle Identity Manager

10g (9.1.0.2) and as such are part of the TOE.

Operating System Platform: Red Hat Enterprise Linux AS Version 4

Update 5

Database Platform: Oracle Database Management System 10g (10.2.0.2.0)

Application Server Platform: OracleAS 10gR2 (10.1.3.3.0)

Keywords: Oracle Identity Manager, EAL4.

1.2 Intended Audience

The intended audience for this document includes evaluators of the TOE,

system integrators who will be integrating the TOE into IT systems, and

Accreditors of the systems into which the TOE has been integrated.

1.3 Evaluated Configuration Guide Overview

This document explains the manner in which the TOE must be configured

along with the host operating system so as to provide the security functionality

and assurance as required under the Common Criteria for Information

Technology Security Evaluation [CC].

The TOE is hosted on Red Hat Enterprise Linux AS Version 4 Update 5

operating system platform and uses Oracle Application Server 10g Release 2

(10.1.3.3.0) as a container platform.


Page 7 of 113

The assumptions and procedures stated in the document are intended to remove

potential vulnerabilities or attack paths from the TOE in its environment. They

do not have any impact on the correct implementation of the TOE’s SFs.

The Evaluation Assurance Level for the TOE is EAL4. The Security Target

used for the evaluation of the TOE is [ST], which also provides an overview of

the TOE.

1.4 Document Structure

This ECG is divided into 5 sections and 12 Annexes, as follows:

Section 1 (this section) provides an introduction to the ECG.

Section 2 provides the preparatory actions to be undertaken before

installing the software for the evaluated configuration.

Section 3 provides the installation of the software for the Oracle Identity

Manager in the evaluated configuration.

Section 4 provides the post-installation actions to start and stop the

evaluated configuration.

Section 5 provides the supporting procedures to ensure that the TOE is

operated in a way that upholds the security objectives defined in [ST].

Annex A provides the list of components in servers required to install

and run the TOE.

Annex B provides the start up and shutdown procedures for the OIM


Annex C provides steps needed to create an installation of Red Hat

Enterprise Linux AS Version 4 Update 5 on an OIM server machine.

Annex D provides the steps needed to install Oracle Application Server

and Oracle Identity Management for use on the OIM server machine in

the evaluated configuration.

Annex E provides the steps needed to install Oracle Internet Directory for

use on the OID server machine in the evaluated configuration.

Annex F provides the steps needed to install an Oracle Database for use

on the Database server machine in the evaluated configuration.

Annex G provides recommendations for secure administration of audit in

OIM in the evaluated configuration.


14 December 2011

Page 8 of 113

Annex H provides the steps needed to harden OIM and Red Hat

Enterprise Linux AS Version 4 Update 5 for all server machines in the


Annex I provides the steps needed to install and configure the DB and

OID Connectors for the OIM Server machine in the evaluated

configuration.

Annex J provides the steps needed to configure the Database and Internet

Directory Connectors for provisioning, reconciliation and attestation.

These are the examples used for evaluator testing.

Annex K provides additional guidance for secure administration of OIM.

This must be followed to maintain OIM in a secure state.

Annex L provides the list of documents that are referenced within this

guide, e.g. the Oracle Identity Management Security Target – [ST].

1.5 Format

Assertions for the physical, host, and Oracle configurations are given

identifiers to the left of each evaluation configuration requirement in bold Arial

font, e.g. [A-1] or a number to show the step, e.g. 1.

Mandatory evaluation configuration requirements use the words “must” and/or

“shall” in each assertion.

Strongly recommended evaluation configuration requirements use the words

“should” in each assertion.

Commands typed from the Linux Command line for formatted in Courier

New. For example, oracle> mkdir oracle

Instructions regarding the use of a GUI are formatted using Times New Roman

(i.e the default font for this document). The screen name will be identified

using Courier New.

References to sections of documents listed in Annex L are in the format

[document, section].


Page 9 of 113

2 Preparation

This part of the ECG provides the preparatory actions to be undertaken before

installing the software for the evaluated configuration of Oracle Identity

Management (OIM).

2.1 Machine Configuration

In the configuration used for the evaluation testing of Oracle Identity Manager

10g (9.1.0.2), the OIM Server was installed on a DELL Rack Mounted Server,

which also hosted 2 virtual machines. Of the 2 virtual machines, 1 is a database

server and the other a directory server. This enabled testing of the TOE

provisioning to a database and reconciliation with a directory.

It is recommended that a production configuration of Oracle Identity

Management (9.1.0.2) be used on physically separate servers.

The virtual machines allocated for the installation of the TOE during the

evaluation were:

Machines db and oid

Specification Hosted on:

Dell PowerEdge 1950 – A Dual-Core Intel

Xeon 5300 sequence processors (2.33GHz)

4GB RAM

Red Hat Linux 4 Update 5 x86_64

Products to be installed As per Annex A of this document.

Table 2.1: Virtual Configuration of machines supporting the TOE

The TOE was installed without virtualisation on the above platform and

designated oim.

In addition, two client machines are required as follows:

DC Client: this is a Windows XP administration client with IE7 installed on it

for installing the OID and database connectors on the OIM Server. Version

9.1.0.1865.28 of the OIM Design Console is also installed on this, and patched

from the OIM 9.1.0.2 patch as specified in [DCIG, 3.4].

User Client: this is a Windows XP client machine also with IE7.


14 December 2011

Page 10 of 113

The list below gives a high level overview of which key components are

installed where and their purpose.

Machine 1 – oim

Hostname: oim.oim-test.com

IP address: 172.20.16.139. subnet mask: 255.255.240.0

Operating System: Red Hat Enterprise Linux 4 Update 5

Installed Components:

Oracle Application Server 10g (10.1.3.3.0)

Oracle Database 10g (10.2.0.2.0)

Oracle Identity Manager 10g (9.1.0.2) – instance of TOE

Database User Management Connector (9.0.4.5) – part of TOE

Oracle Internet Directory Connector (9.0.4.5) – part of TOE

Machine 2 – db

Hostname: odb.sme1.com

IP address: 172.20.18.210 subnet mask: 255.255.240.0



Oracle Database 10g (10.2.0.1.0)

Machine 3 – oid

Hostname: oid.sme1.com

IP address: 172.20.18.211 subnet mask: 255.255.240.0



Oracle Internet Directory 10g (10.1.4.0.1)


Page 11 of 113

2.2 Physical Environmental Assumptions

This section describes physical requirements on the server machine so that the

security of the TOE can be maintained.

[IM.A-1] The processing resources of the TOE shall be located within controlled access

facilities which will prevent unauthorised physical access to the TOE by

unprivileged users. Only authorised administrators for the system hosting the

TOE shall have physical access to that system. Such administrators include the

Operating System Administrators, Access and Identity Master Administrators,

OID Directory Administrators and Database Administrators.

[IM.A-2] The media on which the TOE audit data resides shall not be physically

removable from the underlying operating system by unauthorised users.

[IM.A-3] Any on-line and/or off-line storage media on which security relevant data

resides shall be located within controlled access facilities which will prevent

unauthorised physical access.

2.3 Electronic Delivery of the TOE

To receive electronic delivery of OIM, complete the following steps:

1. If you do not always have a SHA-1 file hash tool, download an

appropriate SHA-1 tool to verify SHA-1 checksums. SHA-1 tools are

available for any platform.

2. Access the Oracle E-Delivery website at: https://edelivery.oracle.com

3. (Optional) Choose a language preference.

4. Check Continue.

5. Enter your user information and click the checkboxes to agree to the

license terms and export restrictions, then click Continue.

6. Select Oracle Oracle BEA in the Product Pack field, then select Linux

x86-64 or Linux x86 from OS platform from the drop-down list.

7. Select Oracle Application Server 10g Release 3 (10.1.3) Media Pack for

Linux x86 Part number B36233-39 from the results list, then click

Continue.

8. Select the following from the list

https://edelivery.oracle.com/


14 December 2011

Page 12 of 113

Oracle Identity Management Infrastructure and Oracle Identity

Federation (10.1.4.0.1) for Linux x86 (CD 1 of 2) part number

B30971-01

Oracle Identity Management Infrastructure and Oracle Identity

Federation (10.1.4.0.1) for Linux x86 (CD 2 of 2) part number

B30972-01

9. Click the View Digest button. A popup window displays with all

available checksum values (both MD5 and SHA-1). Note that you

should only use the SHA-1 checksum for verification. Take a note of

the SHA-1 checksum value provided for the desired download

(depending on your OS platform).

10. Make sure that the certificate associated with the web page that displays

the digest is signed by a trusted CA. If your browser does not display

any error message regarding the certificate, than it is signed by a trusted

CA already known to the browser (here: Verisign). You can check this

by moving the house pointer over the secure session system (lock) in

the browser.

11. In case of verification errors, the displayed digest cannot be trusted.

12. Close the View Digest popup window.

13. Click the Download button for the desired download (depending on

your OS platform) and save the selected .zip file to the desired disk

location.

14. Verify that the checksum for your download matches the checksum

shown on the Oracle download page.

To obtain the correct version of the Connectors, raise an SR on

https://support.oracle.com/ and ask for a URL for V17360-01 – Oracle®

Identity Manager Connectors, or request the Database and OID Connector

from this media.

2.4 Physical Delivery of the TOE

To request the media pack:

1. Go to www.oracle.com and select Shop Online.

2. Choose the appropriate store and select Application Server.

3. Select Identity Management Infrastructure and Oracle Identity

Management (9.1.0.2) and choose your licensing terms.

4. Select ‘Purchase Media Packs’.

https://support.oracle.com/


Page 13 of 113

5. Select Linux x86.

6. Select Oracle Identity Management Infrastructure and Oracle Identity

Management (9.1.0.2) for Linux x86 Media Pack for Linux x86 (32 bit).

When the media pack arrives the relevant CDs / DVDs are:

V17360-01 – Oracle® Identity Manager Connectors

B30972-01 – Oracle® Identity Management Infrastructure and Oracle Identity

Federation (10.1.4.0.1) for Linux x86.


14 December 2011

Page 14 of 113

3 Installation

This chapter describes the installation of the software for the evaluated

configuration.

Many of the instructions are performed on the command line. They will need to

be performed as the user denoted e.g. root>.

When switching users at the command line always use the argument ‘-', for

example su - orainfra to ensure the users’ environment such as

$ORACLE_HOME is set correctly.

Throughout this document example hostnames are used (for example,

odb.sme1.com). When updating these to reflect the end customer

infrastructure, care must be taken that they are changed consistently. It is

recommended that a log book is used during the installation to note these

down. The full list of passwords and passphrases against different usernames

should also be compiled during installation. When installation is complete, this

should be stored in a secure location for use in an emergency.

The port numbers referenced in this document are the defaults used during the

install process but as this can be affected by port availability during the

installation process, ensure to always check the ports being used. This can be

done by checking the ports configured at install time by looking at

$ORACLE_HOME/install/portlist.ini or checked by running

netstat -ltpn as root at any time

As SSL is used within the TOE some steps require signed certificates. Either an

internal Certification Authority (CA) can used or certificate signing requests

will need to be sent to a commercial CA for signing. The former was used

during the evaluation for convenience.

3.1 Oracle Identity Management Installation Order

In order to install an instance of an Oracle Identity Management (OIM) server

in the evaluated configuration the steps in the following Annexes should be

followed in the order given below:

Red Hat Enterprise Linux AS Version 4 Update 5 shall be installed as

described in Annex C and [ECGOEL4] for all OIM server machines to be set

up in the evaluated configuration.

Annex D describes the steps needed to install OIM Server.

Annex E describes the steps needed to install an OID Server for use as a trusted

source for OIM reconciliation.


Page 15 of 113

Annex F describes the steps needed to install an Oracle Database Server for

provisioning by OIM.

Annex G describes how to configure the OIM auditing functionality securely.

Annex H describes the steps needed to harden OIM, clients and the Red Hat

Enterprise Linux AS Version 4 Update 5 for security.

Annex I describes the steps needed to install the Database and Internet

Directory Connectors.

Annex J describes how to configure the OIM Database and Internet Directory

Connectors for provisioning, reconciliation and attestation. This was the

foundation set up for evaluator testing. As such, the instructions in this Annex

are a resource for configuring OIM and the connectors, however they are not

normative or required for secure configuration.

3.2 Start up and Shutdown procedure

This is provided in Annex B. This should not be attempted until all steps for at

least one Oracle Identity Management with Connectors, Oracle Database and

Oracle Internet Directory instance have been completed.


14 December 2011

Page 16 of 113

Annex A TOE Components

A.1 Oracle Identity Management Server

A.1.1 Oracle Application Server for Oracle Identity Manager

OracleAS 10gR2 10.1.3.1.0 is the base, on which is installed Patches 668525,

5389650 and 6454278 to take it to OracleAS 10gR2 10.1.3.3.0.

A.1.2 Oracle Database for Oracle Identity Manager

Oracle Database 10.2.0.1.0 is the base.

Upgrade of Oracle Database to 10.2.0.2.0 via Patch 4547817

A.1.3 Oracle Identity Manager

Oracle Identity Manager 9.1.0.1

Upgrade of Oracle Identity Manager to 9.1.0.2 via Patch 8484010

A.1.4 Oracle Connector Pack for Oracle Database

Oracle Identity Manager Connector Pack 9.0.4.5

A.1.5 Oracle Connector Pack for Oracle Internet Directory

Oracle Identity Manager Connector Pack 9.0.4.5

A.2 Supporting components for TOE testing

A.2.1 Oracle Database Server

Oracle Database 10.2.0.1.0

A.2.2 Oracle Internet Directory

Oracle Internet Directory 10.1.4.0.1


Page 17 of 113

Annex B Server Start up and Shutdown Procedures

This Annex describes the post-installation actions to start and stop the OIM

Server in the evaluated configuration.

B.1 Start order

The evaluators test configuration should be started in the following order:

OIM Server

DB Server

OID Server

B.2 OIM Server

B.2.1 Start Up

Run the following commands from root on the OIM server to be started:

# su - oracle

$ lsnrctl start

$ sqlplus / as sysdba

SQL> startup

SQL> quit

$ opmnctl startall

Start a web browser on a Windows client machine configured

as specified in Annex H.1 and access the following URL:

https://oim.oim-test.com:4446/xlWebApp/

Security note:

All privileged users should ensure that after performing their tasks, they log off and close down their browser before browsing to other sites. If access to other websites is required at the same time as access to OIM administration features, a different browser should be used (i.e. not Internet Explorer).

B.2.2 Shutdown

Run the following commands from root on the OIM server to be shutdown:

# su - oracle

$ opmnctl stopall



14 December 2011

Page 18 of 113


SQL> shutdown immediate

SQL> quit

$ lsnrctl stop

B.3 Database Server

B.3.1 Start Up

Run the following commands from root on the Database server to be started:

# su - oradb

$ lsnrctl start


SQL> startup

SQL> quit

B.3.2 Shutdown

Run the following commands from root on the Database server to be

shutdown:

# su - oradb



SQL> quit

$ lsnrctl stop


Page 19 of 113

B.4 Internet Directory Server

B.4.1 Start Up

Run the following commands from root on the Oracle Internet Directory

server to be started:

# su - orainfra

$ lsnrctl start


SQL> startup

SQL> quit

$ opmnctl startall

$ emctl start iasconsole

$ emctl start dbconsole

B.4.2 Shutdown

Run the following commands from root on the Oracle Internet Directory server

to be shutdown:

# su - orainfra

$ opmnctl stopall

$ emctl stop iasconsole

$ emctl stop dbconsole



SQL> quit

$ lsnrctl stop


14 December 2011

Page 20 of 113

Annex C Install Red Hat Linux 4 Update 5 x86_64 for OIM server

This annex describes the steps required to install the evaluated configuration of

Oracle Enterprise Linux 4 Update 5 x86_64 for the OIM server. [ECGOEL4]

may be read for general guidance when installing Oracle Enterprise Linux.

C.1 Install the Operating System

Perform a standard Red Hat Enterprise Linux Advanced Server 4 update 5

installation bearing in mind the following settings:

Use automatic partitioning

Configure the network configured as required, e.g. eth0

172.20.16.139/255.255.240.0

Set the firewall to disabled (Note: this will be enabled)

Set the SELinux setting to ‘Warn’

Customise software packages to be installed:

development->development tools

system->system tools; plus systat.

Graphical internet->unselect all except for firefox

For the user account, create a user called oracle.

C.2 Patch the Operating System

Apply the latest Operating System security patches available via the Red Hat

network.

C.3 Configure the Operating System

[WOS.1] Load up a Terminal and as root perform some system configuration:

Setup the host file if DNS is not being used by adding the following lines with

IP addresses and hostnames to match the infrastructures conventions, e.g.:

172.20.18.201 oim.sme1.com oim

172.20.18.203 odb.sme1.com odb

172.20.18.210 oid.sme1.com oid

[WOS.2] Create the required operating system groups as root:

# groupadd oracle

# groupadd dba


Page 21 of 113

[WOS.3] Add oracle to the oracle group:

root> usermod -g oracle –G dba oracle

[WOS.4] Create the directory /u01 to install the oracle software under and set the

ownership:

root> mkdir –p /u01/oracle

root> chown –R oracle:oracle /u01

root> chmod 770 /u01/oracle

[WOS.5] Setup kernel parameters, check parameters below and add following as

required to /etc/sysctl.conf:

# OIM ECG Changes

kernel.msgmnb=65535

kernel.msgmni=2878

kernel.msgmax=8192

kernel.shmall=2097152

kernel.shmmax=2147483648

kernel.shmmni=4096

kernel.sem=256 32000 100 142

fs.file-max=131072

net.ipv4.ip_local_port_range=1024 65000

net.core.rmem_default=262144

net.core.rmem_max=262144

net.core.wmem_default=262144

net.core.wmem_max=262144

[WOS.6] Load new kernel parameters:

root> sysctl –p

[WOS.7] Create the directories for the installation media:

oracle> mkdir –p /space/src/oracle/AppServer

oracle> cd /space/src/oracle

oracle> mkdir –p Database

oracle> mkdir –p OIM9100

oracle> mkdir –p Connectors

oracle> mkdir –p Patches

oracle> chown –R oracle:oracle /space/src/oracle/*

[WOS.8] Unzip the installation media obtained using either 2.3 or 2.4, and patches as

specified in Annex A above for the Oracle Application Server, Database, OIM,

Connectors and Patches into the respective directories created above.


14 December 2011

Page 22 of 113

C.4 Install Java

The actions [WOS.10] to [WOS.11] listed in this section are required to

install Java for the OIM server before the installation of OIM server machine(s)

can be carried out.

Java is required to configure aspects of OIM as a browser based Java applet is

used.

[WOS.10] Download the latest version of Java JRE for Linux from java.com, e.g. jre-

6u21-linux-i586-rpm.bin

[WOS.11] Start Installer:

root> cp <path-to-java-installation-media>/jre-6u21-linux-

i586-rpm.bin ~

root> cd ~

root> chmod +x jre-6u21-linux-i586-rpm.bin

root> ./jre-6u21-linux-i586-rpm.bin

root> cd /usr/lib/firefox-1.5.0.10/plugins/

root> ln -s /usr/java/jre1.6.0_21/plugin/i386/ns7/

libjavaplugin_oji.so

Note: The firefox directory name referenced above may vary slightly

depending on the version installed.


Page 23 of 113

Annex D OIM Server Installation

D.1 Install the Oracle Application Server

This step installs the Oracle Application Server Infrastructure (OracleAS)

including an instance of Oracle Database which will be used to store Oracle

Access Manager configuration data and also user details. Note: The

OracleAS installation also includes OHS and OC4J. Oracle Identity

Management in installed on OracleAS.

D.1.1 Installation Steps

[OAS.1] As oracle run the Application Server Installer: su - oracle

oracle> cd /space/src/oracle/AppServer

oracle> ./runInstaller

[OAS.2] On the Oracle Application Server SOA Suite 10.1.3.1.0

Installation screen:

Click->Advanced Install radio button

Select->Next

Select->Yes

[OAS.3] On the Specify Inventory Directory and Credentials

screen:

Change the path to /u01/oracle/inventory

Specify the Operating System group name as oracle

Select->Next

[OAS.4] A pop up screen appears containing instructions to run a script as a root user in

/u01/oracle/inventory. Using the open terminal type: oracle> su - root

# cd /u01/oracle/inventory

# ./orainstRoot.sh

# cd /u01/

# chown –R oracle:oracle OraInventory

When this has completed successfully, return to the pop up screen and

Select->Continue

[OAS.5] On the Select Installation Type screen:

Select->J2EE Server and Web Server

Select->Next


14 December 2011

Page 24 of 113

[OAS.6] On the Prerequisite Checks screen all checks should succeed. On

completion:

Select->Next

[OAS.7] On the Port Configuration Options screen accept the default of

Automatic port configuration and then

Select->Next

[OAS.8] On the Administration Settings screen enter the following values:

AS Instance Name->AS1

AS Administrator->oc4jadmin

AS Administrator Password->enter a secure password: should be at least 6

characters and not be a dictionary word, be alpha-numeric and have at least

one number, capital letter; optionally one special character from the

following: $, _, #

Check->box marked Configure this as an Administration

OC4J instance.

OC4J Instance Name->oc4j_home

Select->Next

[OAS.9] On the Cluster Topology Configuration screen

Select->Next

[OAS.10] On the Summary screen

Select->Install

[OAS.10] On the Installation screen

The product is installed. This will take some time. Progress is marked by a

status bar showing % complete.

[OAS.11] Part way through a pop up screen appears containing instructions to run a

configuration script as a root user in

/u01/oracle/product/10.1.3.1/OracleAS_1.

Using the open terminal type: # cd /u01/oracle/product/10.1.3.1/OracleAS_1

# ./root.sh


Select->OK

The installation completes.

[OAS.10] On the Configuration Assistants screen , each configuration step is

run with the status displayed. This may take some time to complete.

Select->Next when complete.

[OAS.11] On the End Of Installation screen:


Page 25 of 113

Note down the URL of the Oracle Application 10g Server welcome screen: e.g.

http://oim.oim-test.com:7777/

Select-> Exit

D.2 Upgrade the Oracle Application Server

This upgrades the Oracle Application Server to 10.1.3.3.0.


[UAS.1] As oracle run the OAS 10.1.3.3.0 Patch Installer: su - oracle

oracle> cd /space/src/oracle/Patches/p6148874/Disk1


[UAS.2] On the Welcome screen:

Select-> Next

[UAS.3] On the Specify file locations screen:

Source->/space/src/oracle/Patches/p61488874/Disk1/stage/products.xml

Destination name->oracleas1

Destination -> /u01/oracle/product/10.1.3.1/OracleAS_1

Select-> Next

[UAS.4] On the Administrator (oc4jadmin)Password screen:

Enter the oc4jadmin password as specified at [OAS.8]. Select-> Next

[UAS.5] On the Installation Summary screen

Select->Install

[UAS.6] On the Install screen

The patch is installed. This will take some time. Progress is marked by a status

bar showing % complete.

[UAS.7] Part way through a set up privileges pop up screen appears containing

instructions to run a configuration script as a root user in

/u01/oracle/product/10.1.3.1/OracleAS_1.

Using the open terminal type: # su - root

# cd /u01/oracle/product/10.1.3.1/OracleAS_1

# ./root.sh

# exit


Select->OK


14 December 2011

Page 26 of 113


[UAS.8] On the Configuration Assistants screen , each configuration step is

run with the status displayed. This may take some time to complete.

Select->Next when complete.

[UAS.9] On the End Of Installation screen:

Select-> Exit

D.3 Create OC4J Instance for OIM

This creates an OC4J instance in which OIM will be able to run.


[OC4J.1] From the Linux menu open the firefox web browser. Enter

http://host.domain.com:7777/em (e.g. http://oim.oim-test.com:7777/em).

Log on to the Enterprise Manager using oc4jadmin and the administrator

password as specified at [OAS.8].

[OC4J.2] Click on the Application Server name (AS1).

Click on the Create OC4J Instance button.

[OC4J.3] Enter the OC4J instance name (oc4j_oim). Select the Add to a new

group with name radio button.

Enter the group name – oim_group

Also, tick the Start this OC4J instance after creation box.

[OC4J.4] Click on Create button.

Completion is confirmed and you can logout.

[OC4J.5] Using the open terminal, run the following commands:

oracle> cd ~

oracle> nano ./.bash_profile

enter the following:

export ORACLE_HOME=/u01/oracle/product/10.1.3.1/OracleAS_1

export OAS_HOME=/u01/oracle/product/10.1.3.1/OracleAS_1

export JAVA_HOME=$OAS_HOME/jdk

export PATH=$JAVA_HOME/bin:$OAS_HOME/opmn/bin:$PATH

http://host.domain.com:7777/em

http://oim.oim-test.com:7777/em


Page 27 of 113

Ctrl O

Ctrl X

oracle> .bash_profile

D.4 Apply Oracle Application Server CPU Patch

This patches the Oracle Application Server to 10.1.3.3.0.


[PAS.1] First, update the opatch utility to the latest version. You can find this on the

Oracle support web site by searching for Patch 6880880 and downloading the

most recent versions for a Linux platform. At the time of writing OPatch 10.1

for 9i was used and OPatch 10.2.

Technical note 283367.1 provides the background understanding you need to

manage opatch. For information about how to download the most recent

version see note 224346.1.

When you have downloaded the most recent opatch, copy the .zip file to /space/src/oracle/Patches/

As oracle in the terminal window perform the following commands: oracle> opmnctl stopall

oracle> mv OPatch OPatch_original

oracle> unzip

/space/src/oracle/Patches/p6880880_101000_LINUX.zip –d $OAS_HOME

oracle> mv OPatch OPatch_10.1

oracle> unzip

/space/src/oracle/Patches/p6880880_102000_LINUX.zip –d $OAS_HOME

oracle> mv OPatch OPatch_10.2

Installation has been done when the unzipping has completed.

You can confirm the version of opatch installed using: oracle> $OAS_HOME/OPatch_10.x/opatch version

where x is 1 for the 10.1 directory and 2 for the 10.2

directory.

[PAS.2] Continue in the terminal window: Oracle> cd $OAS_HOME

oracle> cd ../6685235

oracle> $ORACLE_HOME/OPatch_10.1/opatch apply

oracle> cd ../5389650


oracle> cd ../6454278


During the above patch applications the questions raised by the installers

should be answered.


14 December 2011

Page 28 of 113

D.5 Configure RMI Settings

This configures the RMI .xml file and restarts the application server.


[CRS.1] As oracle in the terminal window run the following: oracle> nano $OAS_HOME/j2ee/oc4j_oim/config/rmi.xml

locate “<rmi-server” tag

add the following line:

max-server-sockets=”200”

Ctrl-O

Ctrl-X to save and close

oracle> nano $OAS_HOME/opmn/conf/opmn.xml

locate “oc4j_oim” text

scroll down 14 lines or so to locate the line containing:

“<port id=”rmi” range=”12401-12500”/>

replace this line with:

<port id=”rmi” range=”12408”/>

Ctrl-O

Ctrl-X to save and close

oracle> opmnctl startall

D.6 Install Oracle Database for OIM

This creates a Database instance that OIM will use as its data repository.


[DB.1] As oracle run the database 10.2.0.1.0 Installer: su - oracle

oracle> cd /space/src/oracle/Database/database


[DB.2] On the Select Installation Method screen:

The entries on this screen should be filled out as follows:

Oracle Home Installation->/u01/oracle/product/10.1.3.1/OracleAS_1

Installation Type-> Enterprise Edition 1.3GB

UNIX DBA Group-> oracle


Page 29 of 113

Create Starter Database (additional 72M)->checked

Global Database Name: oracle

Database Password: enter a secure password: should be at least 6 characters

and not be a dictionary word, be alpha-numeric and have at least one number,

capital letter; optionally one special character from the following: $, _, #

Confirm Password: as previous

Select “Advanced Installation”

Select->Next

[DB.3] On the Select Installation Type screen:

Select->Enterprise Edition (1.26GB)

Select->Next

[DB.4] On the Specify Home Details screen enter:

Name->oimdb

Path->/u01/oracle/product/10.1.3.1/Database

Select->Next

[DB.5] On the Product Specific Prerequisite Checks screen all

checks should succeed. On completion:

Select->Next

[DB.6] On the Select Configuration Option screen:

Select->Install database Software only

Select->Next

[DB.7] On the Privilege Operating System Group screen, ensure that the

entries are as follows:

Database Administrator Group->oracle

Database Operator Group->oracle

Select->Next

[DB.8] On the Summary screen

Select->Install

[DB.9] On the Installation screen



[DB.10] Part way through a pop up screen appears containing instructions to run a


/u01/oracle/product/10.1.3.1/Database/.

Using the open terminal type: # cd /u01/oracle/product/10.1.3.1/Database

# ./root.sh


Select->OK


14 December 2011

Page 30 of 113


[DB.11] On the End Of Installation screen:

Select->Exit

D.7 Install Oracle Database Patchset

This upgrades the Database instance to 10.2.0.2.0.


[UDB.1] As oracle run the database 10.2.0.2.0 Installer: su - oracle

oracle> cd /space/src/oracle/Patches/p4547817


[UDB.2] On the Welcome screen:

Select-> Next

[UDB.3] On the Specify Home Details screen enter:

Name->oimdb

Path->/u01/oracle/product/10.1.3.1/Database

Select->Next

[UDB.4] On the Summary screen

Select->Install

[UDB.5] On the Installation screen



[UDB.6] Part way through a pop up screen appears containing instructions to run a


/u01/oracle/product/10.1.3.1/Database/.

Using the open terminal type: # cd /u01/oracle/product/10.1.3.1/Database

# ./root.sh


Select->OK


[UDB.7] On the End Of Installation screen:

Select->Exit


Page 31 of 113

D.8 Create Listener for OIM Database

This creates the Listener for the OIM Database.


[LIS.1] As oracle run netca in an open terminal window: su - oracle

oracle> cd /u01/oracle/product/10.1.3.1/Database/bin

oracle> ./netca

[LIS.2] On the Welcome screen:

Select-> Listener Configuration

Select->Next

[LIS.3] On the Listener Configuration screen:

Select-> Add

Select->Next

[LIS.4] On the Listener Name screen:

Listener Name-> OIM_LISTENER

Select->Next

[LIS.5] On the Select Protocols screen:

Select->Next to select the default TCP option

[LIS.6] On the TCP/IP Protocol screen: Select->Next to select the default 1521 port

[LIS.7] On the More Listeners screen:

Select->No

Select->Next

Listener Configuration complete is displayed.

[LIS.8] On the Completion Message screen:

Select->Next

[LIS.9] On the Welcome screen that is re-displayed:

Select->Finish

D.9 Create Database Instance for OIM Database

This creates the Database instance for the OIM Database.


14 December 2011

Page 32 of 113


[DBC.1] As oracle run dbca in an open terminal window: oracle> ./dbca

[DBC.2] On the Welcome screen:

Select->Next

[DBC.3] On the Step 1 screen: Select-> Create a Database

Select->Next

[DBC.4] On the Step 2 screen:

Select-> Custom Database

Select->Next


Enter Global Database Name-> [e.g. use domain in format oim.oim-test.com]

Enter SID->oim

Select->Next


Accept defaults: configure the Database with Enterprise Manager & Use

Database Control for Database Management; so just:

Select->Next


Enter the password, same ALL accounts->

Use a secure password: should be at least 6 characters and not be a dictionary

word, be alpha-numeric and have at least one number, capital letter;

optionally one special character from the following: $, _, #

Select->Next

[DBC.8] On the Step 6 screen: Accept default: File System; so just

Select->Next


Accept default: Use Database File Locations ...; so just

Select->Next


Accept default recovery option; so just

Select->Next



Page 33 of 113

Accept default database content options; so just

Select->Next


Select->All Initialization Parameters button

Select->Show Advanced Parameters button

Scroll down to QUERY_REWRITE_INTEGRITY parameter and change the

value->trusted

Select->Close

Select->Next

[DBC.13] On the Step 11 Database Storage screen:

Select->Next

[DBC.14] On the Step 12 Creation options screen: Accept defaults

Select->Finish

The confirmation screen is displayed showing the database details to be

created.

Select->OK to complete

[DBC.15] On the Database Configuration Assistant screen:

Progress is displayed as the database is created.

This process may take some time.

[DBC.16] On the Database Configuration Assistant screen a Database

Creation completion message is displayed.

Select->Exit to finish

[DBC.17] In the terminal window as oracle, run the following command: oracle> lsnrctl start

D.10 Prepare Database Instance for OIM Installation

This prepares the Database instance for the OIM installation.


[PDB.1] As oracle in the open terminal window: oracle> nano ~/.bash_profile

ensure the following is set:

export ORACLE_HOME=/u01/oracle/product/10.1.3.1/Database


14 December 2011

Page 34 of 113

export ODB_HOME=/u01/oracle/product/10.1.3.1/Database

export OAS_HOME=/u01/oracle/product/10.1.3.1/OracleAS_1

export JAVA_HOME=$OAS_HOME/jdk

export

PATH=$PATH:$OAS_HOME/jdk/bin:$OAS_HOME/opmn/bin;$ODB_HOME/bin:$JAV

A_HOME:$ODB_HOME/bin

Ctrl-O; Ctrl-X

oracle> su – oracle {ensure that envt variables are set}

oracle> cd

/space/src/oracle/OIM9101/installServer/Xellerate/db/oracle

oracle> cp prepare_xl_db.sh $ODB_HOME

oracle> cp xell_db_prepare.sh $ODB_HOME

oracle> cd $ODB_HOME

oracle> chmod 755 prepare_xl_db.sh

oracle> chmod 755 xell_db_prepare.sql

oracle> dos2unix prepare_xl_db.sh

oracle> groups

response should be:

oracle osdba dba

if dba is not present then

oracle> su – root

# usermod –a –G dba oracle

# exit

oracle> opmnctl stopall

oracle> lsnrctl stop

oracle> lsnrctl start


oracle> sqlplus / as sysdba

SQL> startup

SQL> exit

oracle> ./prepare_xl_db.sh

Respond as follows:

ORACLE_HOME:-> /u01/oracle/product/10.1.3.1/Database

ORACLE SID: oim

OIM user name: oim_manager

OIM user password: enter a secure password: should be at

least 6 characters and not be a dictionary word, be alpha-numeric

and have at least one number, capital letter; optionally one

special character from the following: $, _, #

Tablespace name: oim_data

The directory in which to store the data file:

/u01/oracle/product/10.1.3.1/Database/oradata/oim

The name of the data file: oim_data_01

The name of the temporary tablespace: temp

Prepare_xl_db.sh script then completes

D.11 Install Oracle Identity Manager

This installs the Oracle Identity Manager.


Page 35 of 113


[OIM.1] As oracle in the open terminal window: oracle> su – oracle {to ensure that envt variables are set}

oracle> export PATH=$JAVA_HOME/bin:$PATH

oracle> cd /space/src/oracle/OIM9101/installServer/

oracle> ./install_server.sh

[OIM.2] The installer runs in text mode. For language, press <Enter> to chose the

default of “English”.

[OIM.3] The welcome screen is displayed, accept default [1] by pressing <Enter>.

[OIM.4] The Admin User information is displayed. Enter the password for the

“xelsysadm” account. Use a secure password: should be at least 6 characters


capital letter; optionally one special character from the following: $, _, #.

Enter confirmation of secure password entered when prompted “Confirm User

Password”.

Accept default [1] by pressing <Enter>.

Accept default [1] by pressing <Enter> again.

[OIM.5] Select the OIM application to install: “2” for Oracle Identity Manager.

Accept default [0] to finish, by pressing <Enter>.

[OIM.6] When prompted enter the following responses for database connectivity

information:

Destination Directory->/u01/oracle/product/9.1.0/OIMServer

Accept default [1] to continue to next setting by pressing <Enter>.

Enter “y” to allow creation of the OIM Server destination directory specified

above.

Accept default [0] to select Oracle Database and continue to next screen by

pressing <Enter>.

Accept default [1] to continue to next setting by pressing <Enter>.

Accept default [Database Hostname-> localhost] and continue to next screen

by pressing <Enter>

Accept default [Port Number-> 1521] and continue to next screen by pressing

<Enter>

Enter “oim” for Database SID and press <Enter>

Enter “oim_manager” for User Name and press <Enter>


14 December 2011

Page 36 of 113

Accept default of [1] to proceed to the next screen.

[OIM.7] Enter the following configuration options:

Select Authentication Mode-> Accept default [0] which chooses Oracle

Identity Manager Default Authentication by pressing <Enter>


Select Application Server-> Select “2” to choose Oracle Application Server

and press <Enter>, then accept [0] by pressing <Enter> to finish.


The Application Server is clustered-> Accept default of “No” by pressing

<Enter>


Location for Application Server-> enter

/u01/oracle/product/10.1.3.1/OracleAS_1 and press <Enter>

Location for the JDK-> enter /u01/oracle/product/10.1.3.1/OracleAS_1/jdk and

press <Enter>


oc4jadmin username-> Accept default [oc4jadmin] by pressing <Enter>

password-> enter password as entered at [OAS.8] and press <Enter>

RMI Port Number-> change to “12408” and press <Enter>

OC4J Instance name-> enter “oc4j_oim” and press <Enter>

Should the installer fail by taking you back to “oc4jadmin username” re-create

the oc4j instance and try the installer from there. Ensure that the RMI settings

for such a new oc4j instance are configured as per D.5 above.

[OIM.8] Accept default of [1] to proceed to installation of OIM, which completes with

no errors. This step may take some time.

D.12 Upgrade OIM from 9.1.0.1 to 9.1.0.2

This upgrades the OIM Server to 9.1.0.2.


[UPG.1] As oracle in the terminal window run the following commands: oracle> su - oracle

oracle> cd

/space/src/oracle/Patches/p8484010/db/oracle/Scripts

oracle> ./oim_db_upg_9101_to_9102.sh


Page 37 of 113

ensure that the ORACLE_HOME is for the database:

/u01/oracle/product/10.1.3.1/Database

Use “y” to accept “oim” as database SID

Use: /space/src/oracle/Patches/p8484010 as the Db Schema

update script directory

Use: oim_manager for Db Schema user name

Enter password for oim_manager

Upgrade runs without errors:

Starting Oracle Identity Maanger Db Schema Upgrade....

Oracle Identity Manager Db Schema Upgrade Successful....

Starting Oracle Identity Manager Db Stored Procedure

Upgrade....

Oracle Identity Manager Db Stored Procedure Upgrade

Successful....

Please see logs at:

/space/src/oracle/Patches/p8484010/db/oracle/log/oim_db_upg_9101_t

o_9102

oracle> export ORACLE_HOME=$ODB_HOME

oracle> sqlplus

username: oim_manager

password: <oim_manager password> (see [PDB.1]) screen displays “connected”

SQL>/

@/space/src/oracle/Patches/p8484010/db/oracle/Scripts/Oracle_Enabl

e_XACM.sql

script runs without errors

SQL>exit

oracle>

[UPG.8] Edit the LoadXML.sh file to set its variables as follows from the terminal

window: oracle> cd /space/src/oracle/Patches/p8484010/db/Metadata

oracle> nano LoadXML.sh

modify the following entries as follows:

# Set JAVA_HOME to point to java home

export JAVA_HOME=/u01/oracle/product/10.1.3.1/Database/jdk

# If you are running Oracle, uncomment the following lines and

# set the path of the directory containing Oracle JDBC Drivers.

export

ORACLE_DRIVER_DIR=/u01/oracle/product/10.1.3.1/Database/jdbc/l

ib

#Set the Oracle JDBC driver being used for the OIM version

export JDBC_DRIVER_VERSION=ojdbc14.jar

#Set the OIM home location for the installation

export XLHOME=/u01/oracle/product/9.1.0/OIMServer/xellerate

Ctrl-O

Ctrl-X

[UPG.9] Run the LoadXML.sh file and respond to the prompts as required.


14 December 2011

Page 38 of 113

Oracle> ./LoadXML.sh jdbc:oracle:thin:@//oim.oim-test.com

oim_manager password (see [PDB.1])

[UPG.11] Update the FormMetaData.xml file in $OIM_HOME\xellerate\config as follows:

oracle> cd $OIM_HOME/xellerate/config

oracle> nano FormMetaData.xml

In the Form name="5" element of the FormMetaData.xml file, add the lines highlighted bold

font in the following code block: <Form name="5">



<AttributeReference editable="true" optional="false">-

502</AttributeReference>



<AttributeReference editable="true" optional="false">-




<AttributeReference editable="true" optional="true">-














































</Form>




Page 39 of 113

 OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/config

Files in the test/config directory --> OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/config

Files in the test/scripts directory --> OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/scripts

Depending on the target system, perform the steps given below to copy external code files:

For connectors used with Oracle Database 10g, the required external code file is ojdbc14.jar. This JAR files is available in the Oracle Database installation at ORACLE_HOME/jdbc/lib. Copy the required JAR file (ojdbc14.jar) into the OIM_HOME/xellerate/ThirdParty directory.

[CON.13] When the pre-requisites have been addressed, the next step is to configure an

IT resource for the Database. Expand Resource Management in the

Administrative and User Console.

[CON.14] Click Create IT Resource.

[CON.15] On the Step 1: Provide IT resource Information screen,

Enter odb in the IT resource name, and select Database server by

clicking on the magnifying glass icon and clicking the appropriate radio button.

Click on Continue. Leave Remote Manager field blank.


14 December 2011

Page 86 of 113

[CON.16] On the Step 2: Specify IT Resource Parameter Values screen, enter the following values:

Parameter name Value to be entered

DatabaseName Odb

DataBaseType Oracle

delay_retry 10000

Driver oracle.jdbc.driver.OracleDriver

isSecure No

max_retry 3

Password <Password for oim_provision_user on

DB>

TargetLocale:

Country

US

Target

Locale:Language

En

URL jdbc:oracle:thin:@oraclehost.<domain>:

1521:oracledatabase

e.g. jdbc:oracle:thin:@odb.sme1.com:

1521:odb

UserID oim_provision_user

[CON.17] On the Step 3: Set permission to IT Resource screen, accept

default by clicking on Continue.

[CON.18] On the Step 4: Verify IT Resource Details screen, accept


[CON.19] On the Step 5: IT Resource Connection Result screen, the

connection test passes. Click on Continue.

[CON.20] On the Step 6: IT Resource Created screen, click on Finish.


Page 87 of 113

[CON.21] Run the following command in a terminal window on the OIM Server as

oracle: su - oracle

oracle> sqlplus oim_manager/<oim_manager password>

SQL> ALTER TABLE SVP MODIFY SVP_FIELD_VALUE VARCHAR2(2000);

SQL returns “Table altered.”

SQL> QUIT

The Database Connector has now been installed.

I.2 Install the Oracle Internet Directory Connector

These steps are adapted to be more prescriptive from [OCG, 2]. If problems are

experienced, it is worth being able to quote from [OCG, 2] in communication

with Oracle Support.

[CON.22] On the OIM Server, run the following command in a terminal window as

Oracle: oracle> cp -r /space/src/oracle/Connectors/Oracle_OID_90450

$OIM_HOME/xellerate/ConnectorDefaultDirectory

[CON.23] On the OIM Server, run the following command in a terminal window as Oracle: oracle> cd $OIM_HOME/xellerate/ConnectorDefaultDirectory/

Oracle_OID_90450/Batch/custom

Modify the syntax of custom.bat to provide the host name, port and OID

superuser DN and password, for example:

oracle> nano custom.bat

red text below is descriptive and should not be entered in the custom.bat.

ldapmodify -h oim {host} -p 389 {port} -D "cn=orcladmin" {OID super

user}-w ias_pwd {password}-c -f customRoleOccupant.ldif

ldapadd -h oim -p 389 -D "cn=orcladmin" -w ias_pwd -c -f customIndex.ldif

ldapmodify -h oim -p 389 -D "cn=orcladmin" -w ias_pwd -c -f

customOrganizationalRole.ldif

ctrl-O

ctrl-X

Then run the following commands in the terminal window on the OIM server: oracle> chmod 770 custom.bat

oracle> mv custom.bat custom.sh

Copy custom.sh onto the oid server in the following location: /tmp


14 December 2011

Page 88 of 113

Run custom.sh on oid as orainfra with oid running: oid> /tmp/custom.sh

[CON.24] On oid, in a terminal window as orainfra, run the following command: orainfra> catalog connect="INFRA1DB" add="TRUE"

attribute="modifytimestamp"

orainfra> opmnctl stopall

orainfra> opmnctl startall

[CON.25] Use the commands in [OCG, 2.3] to download ldap.jar and ldapbp.jar from the

Oracle/Sun Web site. This should be copied into:

$OIM_HOME/xellerate/ThirdParty on the OIM server.

[CON.26] On the Windows Administration Client computer, open IE7.

Note: the browser must be IE5 or above or the installation of the Connectors will fail.

[CON.27] In the URL bar, enter http://oim.oim-test.com:7777/xlWebApp/ and press

<ENTER>.




[CON.29] Click Deployment Management and then click Install Connector.

[CON.30] From the Connector List, select Oracle_OID_90450.

[CON.31] Click Load.

[CON.32] To start the installation process, click Continue.

[CON.33] The following tasks are performed in sequence:

a. Configuration of connector libraries

b. Import the connector Target Resource user configuration XML file

(by using the Deployment Manager).

c. Compilation of adapters.

Each task should complete successfully with a green tick beside each. A

message is also displayed indicating successful installation. This message also

provides a list of steps that must be completed next.

[CON.34] The pre-requisites have already been addressed, so skip these.

http://oim.oim-test.com:7777/xlWebApp/


Page 89 of 113

[CON.35] The next step is to configure an IT resource for the Internet Directory.

Expand Resource Management in the Administrative and User

Console.

[CON.36] Click Create IT Resource.

[CON.37] On the Step 1: Provide IT resource Information screen,

Enter oid in the IT resource name, and select OID server by

clicking on the magnifying glass icon and clicking the appropriate radio button.

Click on Continue. Leave Remote Manager field blank.

[CON.38] On the Step 2: Specify IT Resource Parameter Values

screen, enter the following values:


Admin Id cn=orcladmin

Admin Password <password for cn=orcladmin>

CustomizedReconQuery <Leave blank>

Last Target Delete

Recon TimeStamp

<Leave blank>

Last Trusted Recon

TimeStamp

<Leave blank>

Last Trusted Delete

Recon TimeStamp

<Leave blank>

Last Target Recon

TimeStamp

<Leave blank>

Port 389

Prov Attribute Lookup

Code

AttrName.Prov.Map.OID

Recon Attribute Lookup

Code

AttrName.Recon.Map.OID

Root DN e.g. o=acme

Server address IP address of Directory server,

e.g. 172.20.18.211


14 December 2011

Page 90 of 113


SSL False

Use XL Org Structure False

[CON.39] On the Step 3: Set permission to IT Resource screen, accept


[CON.40] On the Step 4: Verify IT Resource Details screen, accept


[CON.41] On the Step 5: IT Resource Connection Result screen, note

that the top line states “Test connectivity is not supported for the IT Resource

Type OID Server.” However, in red at the bottom of the screen a message

“Click back to correct the connection parameters and re-test connection ...” is

displayed. The top message is true and the bottom message is misleading. Click

on Continue. The connection will be tested later when the resource is

configured.

[CON.42] On the Step 6: IT Resource Created screen, click on Finish.

The OID Connector has now been installed.


Page 91 of 113

Annex J Configure Database and Internet Directory Connectors

The full range of features and configuration items for Database and OID

Connectors are specified in [DBCG, 3] and [OCG, 3]. The instructions in this

document configure the Database as a resource for provisioning from OIM, and

OID as a trusted source for reconciliation.

This set up was used by the evaluators as a starting point configuration for their

testing.

J.1 Database Connector Configuration

[CON.43] On the Windows Administration Client, open the OIM Design Console using




[CON.44] Click on the + next to Development Tools, and double click on

Adapter Manager. Note: a single click will NOT work.

The Compile All Adapters form tab is shown in the display pane.

[CON.45] Click on Compile All and then click Start to compile adapters.

J.2 Configure Database Provisioning Test data

In order to test OIM the Oracle DB was used as a resource to which users in

OIM can be provisioned. Within OIM an Organization named Oracle was

created along with 3 user groups: Oracle Users, DBAs and Oracle Managers.

OIM is configured such that the Oracle Managers group had Administration

privileges over the 2 other groups.

An Access Policy is created that automatically provisions users within the

DBA group with the Oracle Database resource. In addition, members of the

other 2 Oracle groups could request the Oracle Database resource subject to the

approval of the user’s Manager.

The steps that implement this configuration are as follows continuing on the

Administrative Design Console:

J.2.1 Configure User types

Goal: adds a number of user types to the Lookup called by the Create User

menu item in the Admin and User Console.

[CON.46] Click on Administration and Double click on Lookup Definition.


14 December 2011

Page 92 of 113

The Lookup Definition form tab is shown in the display pane.

[CON.47] In the Code field type Lookup.Users.Role, then select menu item

ToolBar and click Query.

Under Group field enter “OIM Evaluation”.

[CON.48] Click Add, and provide entries for

Oracle Manager

Oracle User

Oracle DBA

Xellerate {this will be used for XELSYSADM user}

J.2.2 Configure Rules for User types

Goal: Add a rule for each user type that will be tested during system events

like user creation/modification to determine whether a user is or has been

associated with user type. Rules can then be used to trigger work flows within

OIM e.g. provision a user in group Oracle DBA without requiring that they

have approval from a manager.

[CON.49] Click on Resource Management and double click on Rule Designer.

The Rule Designer tab is shown in the display pane.

[CON.50] In the Name field type IsOracleManager.

[CON.51] Select type General.

[CON.52] In Description field type Rule to determine if a user is an

Oracle Manager based on Employee type. Click save button.

[CON.53] Click on Add Element.

Edit Rule Element dialog is displayed.

[CON.54] Select Attribute as Role, Operation as == and enter Attribute

value as Oracle Manager. Click save button and close – answer Yes to

confirm save dialog box, it is already saved anyway.

[CON.55] Right click on Rule Designer tab at the bottom of the console, and select

New.


Page 93 of 113

[CON.55] Repeat steps [CON.50] to [CON.55] to create rules for IsOracleUser and

IsOracleDBA.

J.2.3 Configure Database Provisioning Form

Goal: Process definitions are used within OIM to specify work flows, e.g. a

provisioning process to create an OIM user identity within a resource like an

Oracle database. Each process has a form that specifies the data to be used.

Process definitions can be configured according to the desired behaviour. In

this case, by clicking on “auto pre-populate”, we are telling OIM to ensure that

to run the pre-populate adapters for any data items in the associated form,

where present. These pre-populate adapters will populate the fields on the form

with data.

In this case, we want to pre-populate the IT Resource (odb), the Username and

the Password. But we’ll get that later.

[CON.56] Click on Process Management and double click on Process

Definition.

The Process Definition tab is shown in the display pane.

[CON.57] Right click on Process Definition tab at the bottom of the console, and

select Query.

[CON.58] Click on Process Definition Table tab. Click on Database

Access Oracle User. Note the associated form is UD_DB_ORA_U.

[CON.59] Click on Process Definition tab. Click Auto Pre-populate and

Auto Save Form. Click the save button.

J.2.4 Specify the Pre-populate Rule for use during Database Access Oracle User process

Goal: This configures a rule used to determine when the UD_DB_ORA_U form

(i.e. the form used to inform the provisioning of the database) will be pre-

populated. In this case, it will be performed when the user processed by OIM is

part of the Oracle organization.

The object from which the data will be pre-populated is the Database

Access Oracle User RO (Resource Object), and the process calling the

auto pre-populate is Database Access Oracle User.

[CON.60] Click on Rule Designer tab, and right click the tab and select New.

[CON.61] In the Name field type Oracle Prepopulate Rule.


14 December 2011

Page 94 of 113

[CON.62] In the Description field type Prepopulate fields in the

Provisioning Form.

[CON.63] In the Type field select Pre-populate.

[CON.64] In the Sub-Type field select User Provisioning.

[CON.65] Double click in the Object field and select Database Access Oracle

User RO.

[CON.66] Double click in the Process field and select Database Access

Oracle User RO. Click the save button.

[CON.67] Click on Add Element.

Edit Rule Element dialog is displayed.

[CON.68] Select Attribute source as Request Target Information,

Attribute as Organization Name, Operation as == and enter

Attribute value as Oracle. Click save button and close – answer

Yes to confirm save dialog box, it is already saved anyway.

J.2.5 Modify the UD_DB_ORA_U form to pre-populate the data we need to create a user identity in the database.

Goal: modify the form so that username, password and IT Resource

are pre-populated when the rule defined above (Oracle Prepopulate

Rule) is true – i.e the user is in Organization called Oracle.

The tool in OIM that actually performs the work is an Adapter that works out

of the box from the database connector. The Adapter is called DB

Prepopulate UserLogin.

[CON.69] Click on Development Tools, and double click on Form Designer.

Form Designer tab is opened in display pane.

[CON.70] Right Click on Form Designer, and click on Query.

Form Designer Table tab is opened in display pane with UD_DB_ORA_R in

Table name. Use Form Designer Table tab to locate

UD_DB_ORA_U, select it, and click YES. Control is then returned to Form

Designer Table with UD_DB_ORA_U in Table name.

[CON.71] Click on Create New Version.

[CON.72] In the Label field enter Version 2. Save and Close.


Page 95 of 113

[CON.73] In Current Version select Version 2.

[CON.74] Click the Pre-Populate tab. Click Delete and YES. Click Add. Input the

following:

[CON.75] Field Name : IT Resource.

[CON.76] Double click in the Rule field and select Oracle Pre-populate Rule.

[CON.77] Double click in the Adapter field and select DB Pre-populate

UserLogin.

[CON.78] Order : 1.

[CON.79] Click Save.

[CON.80] Select the inputValue and click on Map, input the following:

[CON.81] Map To : IT Resources.

[CON.82] Qualifier : odb.

[CON.83] Save and Close and Close.

[CON.84] On the Pre-Populate window click Add. Input the following:

[CON.85] Field Name : Username.

[CON.86] Double click in the Rule field and select Oracle Prepopulate Rule.

[CON.87] Double click in the Adapter field and select DB Prepopulate

UserLogin.

[CON.88] Order : 2.


[CON.90] Select the inputValue and click on Map, input the following:

[CON.91] Map To : User Definition.

[CON.92] Qualifier : User Login.

[CON.93] Click Save and Close and Close.

[CON.94] On the Pre-Populate window click Add. Input the following:

[CON.95] Field Name : Password.


14 December 2011

Page 96 of 113

[CON.96] Double click in the Rule field and select Oracle Prepopulate Rule.

[CON.97] Double click in the Adapter field and select DB Prepopulate

UserLogin.

[CON.98] Order : 3.


[CON.100] Click on Map, input the following:

[CON.101] Map To : User Definition.

[CON.102] Qualifier : Password.

[CON.103] Click Save and Close and Close.

[CON.104] Click Make Version Active.

[CON.105] Click Save and Close.

J.2.6 Configure Approval processes: suppress the standard approval

[CON.106] Select Process Management -> double click Process Definition.

[CON.107] Search for Standard Approval on the Process Definition

Table tab. Click on it.

[CON.108] Back on the Process Definition tab, select the Tasks tab.

[CON.109] Double click on the grey area on the left of the Approve Task. This will open

the configuration for the task after asking if you want to close without saving

your work (to which you reply YES; it’s an ambiguity in the user interface). If

you click anywhere else nothing happens.

[CON.110] Click on the Integration tab, click Add, select the System radio button.

[CON.111] Select the tcCompleteTask Handler. Save and close. When prompted

for completing without saving, click YES; it’s an ambiguity in the user

interface.

J.2.7 Configure Approval processes: create new Database approval

[CON.112] Select Process Management -> double click Process Definition

[CON.113] In the name field, type Database Access

[CON.114] Double click in the field Type and select Approval and OK.


Page 97 of 113

[CON.115] Double click in the Object Name field and select Database Access

Oracle User RO and OK.

[CON.116] Table Name: leave this blank.


[CON.118] Under the Tasks tab click Add and input the following:

[CON.119] For Task Name enter Managers Approval.

[CON.120] Description: Managers approval process for the database

resource.


[CON.122] Select the Assignment tab, double click in the Target type field

[CON.123] Select Target User’s Manager

[CON.124] Remove the XELSYSADM entry from the User field.

[CON.125] Click the General Tab, and under Task Properties box, find Task

Effect and select Enables Process or Access to

Application. Click Save and Close. In response to the closing form

click YES; it’s an ambiguity in the user interface.

[CON.126] Click Save and Close the Process Definition.

J.2.8 Create new Organisation and related Groups

These configuration steps must be run from the Windows Administration client

computer, using the OIM Administrative and User Console.

Goal: to create an organization Oracle, and three groups, one for each

employee type created above. Rules are also put in place to ensure automatic

allocation of users for each employee type into the correct access control

group.

[CON.127] On the Windows Administration Client computer, open IE7.

[CON.128] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press

<ENTER>.






14 December 2011

Page 98 of 113

[CON.130] Click on Organizations -> Create

[CON.131] Enter a Name: Oracle.

[CON.132] Click on the Create button.

[CON.133] Click on User Groups -> Create

[CON.134] Enter a Group Name: Oracle Managers

[CON.135] Click on the Create button.

[CON.136] On the Group Details screen, select Membership Rules from the

dropdown menu.

[CON.137] Click on the Assign Rules button.

[CON.138] Select the isOracleManager tick box and click the Assign button.

[CON.139] Click on the Confirm Assign button.

Repeat the steps [CON.133] to [CON.139] to create Groups named Oracle

Users and Oracle DBA. These steps ensure that each group has the

appropriate rule assigned to them. So, when users of the respective employee

types are created, they are added to the their respective access control groups

automatically.

J.2.9 Assign Xellerate built in users a suitable employee type

Goal: ensure the Xellerate users are of suitable employee type so that

operations on them (e.g. change password) work correctly.

[XEL.1] Click on Users-> Manage

[XEL.2] Click on the Search Users button.

[XEL.3] Find xelsysadm from the list and select it.

[XEL.4] Change Employee Type to Xellerate. Click Save.

J.2.10 Create Menu Items for the Oracle Manager Group

Goal: ensure that the Oracle Manager user group is able to manage users (e.g.

provision them or delete them), request their own resource access (e.g. to the

database) and check their open tasks (e.g. a request to access the database from

a more junior member of Oracle staff).

[CON.140] Click on User Groups -> Manage


Page 99 of 113

[CON.141] Click on the Search button.

[CON.142] Select Oracle Managers from the list.

[CON.143] Select Menu Items from the drop down list.

[CON.144] Click on the Assign Menu Items button.

[CON.145] Locate and select (click the tick for) the menu items below. When all items are

ticked on the screen that you can see, Click on Confirm Assign button, and

then click on Assign Menu Item to continue assigning items on the next

relevant screen. The items are:

[CON.146] Manage Users menu item

[CON.147] Request Resources menu item.

[CON.148] To-Do List Open Tasks menu item.

J.2.11 Reconcile the Roles and Privileges from odb so they can be assigned

to users provisioned to the database.





[CON. 150] Click on the + next to Administration, and double click on Task

Scheduler. Note: a single click will NOT work.

[CON. 151] Click Query (i.e. the binoculars button, or right click on Task Scheduler

tab, and click Query). The results are displayed on the two available tabs.

[CON. 152] Click on DBAccessLookupReconTask in the Task Schedule Table

tab. Click on Task Scheduler tab to edit fields.

[CON. 153] On Max Retries enter 5.

[CON. 154] Untick Disabled so that its check box is clear. Do the same if necessary for

Stop Execution.

[CON. 155] In the Start region, double-click the Start Time field. From the

date-time editor that is displayed, select the date and time to cause

it to run in the next 5 minutes or so (i.e. soon).

[CON. 156] In the Interval region, select the once interval for the task.


14 December 2011

Page 100 of 113

[CON. 157] In the Task Attributes, enter the following entries by double clicking on

each Attribute value (for more information on the attribute meanings see

[OCG, pg 44]:

Attribute name Attribute Value to be entered

Server Odb

LookupFieldName UD_Lookup.DB_ORA_Roles

Exclusion List None

[CON.158] Click Save. The scheduled task is created. The INACTIVE status is displayed

in the status field because the task is not currently running. The task is run

at the date and time set in [CON. 155].

[CON.159] When the task has run, repeat steps from [CON.155] but use

UD_Lookup.DB_ORA_Privileges in the LookupFieldName at

[CON.157].

Note: you can force the schedule task to run immediately by using the

following click sequence from the User and Admin console:

Resource Management Manage Scheduled Task Search Last

DBAccessLookupReconTask Run now

J.2.12 Create Provisioning Access Policy for DBA users

[CON.160] Click on Access Policies -> Create

[CON.161] Step 1, Enter Access Policy Name : Database Access

[CON.162] Enter Description : Access Policy to allow users in the

DBA Group to be provisioned with the database

resource.

[CON.163] Provision : Without Approval

[CON.164] Leave Retrofit Access Policy ticked.

[CON.165] Click Continue

[CON.166] Select Database Access Oracle User RO click Add



Page 101 of 113


[CON.169] For IT resource leave these fields blank. The values will be pre-populated

at run-time by the rules configured above.


[CON.171] Click Continue (select the Revoke tick box to test what happens when

someone is no longer a DBA)

[CON.172] Step 3, Continue

[CON.173] Step 4, Select the DBA group, click Add


[CON.175] Under Resources to be provisioned by this access

policy, click edit next to Database Access Provisioning form

for Oracle User.

[CON.176] Select the drop down next to You can edit the additional

details data for this form: and click on Grant/Revoke

roles magnifying glass iconCONNECT radio

buttonSelectAddClose.

Note: this step and [CON.175] will only work if steps [CON.148] to

[CON.159] have been performed.

[CON.175] Step 5 click Create Access Policy.

J.2.13 Update Resource Object settings





[CON.177] Click on Resource ManagementResource

ObjectsBinoculars Button (Query). In the Resource Objects

Table, click Database Access Oracle User RO. Click on the

Resource Objects tab. Database Access Oracle User RO is

displayed in the Object Definition.

[CON.178] Uncheck Auto Pre-populate; Check the following: Allow Multiple,

Auto Save, Self Request Allowed, Allow All, and Auto Launch.

Click Save. Exit the Design Client.


14 December 2011

Page 102 of 113

J.3 Oracle Internet Directory Connector Configuration

The following steps configure the installed OID instance to operate as a trusted

source for reconciliation.

These configuration steps must be run from a Windows Administration client

computer, using the OIM Administrative and User Console.

J.3.1 Run OIM user script to prepare for reconciliation

[OID.1] On the Windows Administration Client computer, open IE7.

Note: the browser must be IE5 or above.

[OID.2] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press

<ENTER>.

[OID.3] The OIM Administrative and User Console logon screen is



[OID.4] Click the Deployment Management link on the left navigation bar.

[OID.5] Click the Import link under Deployment Management. A dialog box for

opening files is displayed.

[OID.6] Using Windows tools:2

Copy the oimUser.xml file from: /space/src/oracle/Connectors/Oracle_OID_90450/xml

Copy this file on the Windows Admin client to a known location (e.g.

C:\temp).

Back with OIM application: Select this file from the copy location on the Windows Admin client.

Details of this XML file are shown on the File Preview page.

Click Add File.

[OID.7] The substitutions page is displayed. Click Next.

[OID.8] The confirmation page is displayed. Click Next.

2 Note for this task the Admin and User Console on the OIM Server using the Firefox browser

can also be used. If there are Java problems on your Windows Client, this is a good

workaround while you get that sorted out. To use this follow OID.3 – OID.5, then access the

oimUser.xml file directly using the path in OID.6 and click Add file. Then follow from OID.7.



Page 103 of 113

[OID.9] Click Import.

[OID.10] Click Import when prompted by Are you sure? message.

Import Successful message should be displayed.

Close Window.

Continue configuration on the Design console as follows:

J.3.2 Configure scheduled task to execute reconciliation.

[OID.11] On the Windows Administration Client, open the OIM Design Console using




[OID.12] Click on the + next to Administration, and double click on Task

Scheduler.

[OID.13] Click Query (i.e. the binoculars button, or right click on Task Scheduler

tab, and click Query). The results are displayed on the two available tabs.

[OID.14] Click on OID Lookup Reconciliation Task in the Task

Schedule Table tab. Click on Task Scheduler tab to edit fields.

[OID.15] On Max Retries enter 5.

[OID.16] Untick Disabled so that its check box is clear. Do the same if necessary for

Stop Execution.

[OID.17] In the Start region, double-click the Start Time field. From the

date-time editor that is displayed, select the date and time at which

you want the task to run.

[OID.18] In the Interval region, select the desired interval for the task.

[OID.19] In the Task Attributes, enter the following entries by double clicking on


[OCG, pg 44]:


LookupCodeName Lookup.OID.Organization

ITResourceName Oid

SearchContext ou=production,o=acme


14 December 2011

Page 104 of 113


ObjectClass Organization

CodeKeyLTrimStr [NONE]

CodeKeyRTrimStr [NONE]

ReconMode UPDATE

AttrType Ou

[OID.20] Click Save. The scheduled task is created. The INACTIVE status is displayed


at the date and time set in [OID.17].



Resource Management Manage Scheduled Task Search

OID Lookup Reconciliation Task Run now

[OID.21] Click on OID User Recon in the Task Schedule Table tab. Click on

Task Scheduler tab to edit fields.

[OID.22] On Max Retries enter 5.

[OID.23] Untick Disabled so that its check box is clear. Do the same if necessary for

Stop Execution.

[OID.24] In the Start region, double-click the Start Time field. From the

date-time editor that is displayed, select the date and time at which

you want the task to run.

[OID.25] In the Interval region, select the desired interval for the task.

[OID.26] In the Task Attributes, enter the following entries by double clicking on


[OCG, pg 45 – 46]:


IsNativeQuery No

ITResourceName Oid


Page 105 of 113


ResourceObjectName OID User

XLDeleteUsersAllowed False

UserContainer ou=production,o=acme

Keystore [NONE]

Organization Acme

Xellerate Type End-User

Role acme production user

TrustedSource True

PageSize 100

[OID.27] Click Save. The scheduled task is created. The INACTIVE status is displayed


at the date and time set in [OID.24].



Resource Management Manage Scheduled Task Search Last

OID User Recon Run now

J.3.3 Configure the roles for oid users within OIM.

[OID.28] Click on Administration and Double click on Lookup Definition.

The Lookup Definition form tab is shown in the display pane.

[OID.29] In the Code field type Lookup.Users.Role, then click Query on the

toolbar.

[OID.30] Click Add, and provide entries for

acme production user

acme delivery user

acme accounts user


14 December 2011

Page 106 of 113

J.3.4 Create the user test data for reconciliation in oid.

[OID.31] In oid, create the following entries in the directory in hierarchy to use as test

data for reconciliation:

o=acme

ou=production

cn=<create user name> (e.g. John Smith)

cn=<create user name>

ou=delivery



ou=accounts



Note: the instructions in [OID.19] and [OID.26] configure reconciliation

for the production organisation unit. The other ou’s can also be used to

test if configured.

In order to reconcile with OIM the OID users must have the following

objectclasses added: top, person, organizationalPerson, inetOrgPerson,

orclUser, and orclUserV2.

J.3.5 Post-reconciliation task for Administrators

[OID.32] Users reconciled from Oracle Internet Directory as a trusted source are given a

password that is the same as their cn attribute in the directory. This is a

potential vulnerability for a secure configuration.

The way to lockdown OIM securely after trusted reconciliation is for the

Administrator to manually change the password for every user reconciled to a

different secure value (where secure means a password that is at least 6

characters and not be a dictionary word, be alpha-numeric and have at least one

number, capital letter; optionally one special character from the following: $, _,

#).

These passwords must then be securely communicated to users as required.

The steps to perform a password change are as follows:

[OID.33] On the Windows Administration Client computer, open IE7.

[OID.34] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press

<ENTER>.



Page 107 of 113

[OID.35] The OIM Administrative and User Console logon screen is



[OID.36] Click UsersManage.

[OID.37] In the first drop down box select Organization.

[OID.38] In the value box, type the name of the organization from which users have been

reconciled, e.g. acme. Click Search User.

[OID.39] For each of the users displayed, where a secure password has not already been

set the following steps should be followed:

[OID.40] Click on the userid in the table of displayed users. The user details are

displayed.

[OID.41] Click on the Change Password button.

[OID.42] Enter a secure value (a password that is at least 6 characters and not be a

dictionary word, be alpha-numeric and have at least one number, capital

letter; optionally one special character from the following: $, _, #) for

password and confirm it in the following box. It may be wise to compile a table

of user names with their secure passwords for reference as you go. However,

this table must be stored securely until all the users have updated their

passwords.

[OID.43] Click on the Change Password at next logon check box.

[OID.44] Click on the Save Password button.

[OID.45] The User detail screen is displayed. Click on Back to Search Results to

find the next user to change. Repeat steps [OID.40] to [OID.44] for all users

where a password change is necessary.

[OID.46] A procedure must be agreed with end users so that they can securely request/be

provided with their passwords for OIM from the administrator as required.


14 December 2011

Page 108 of 113

Annex K Guidance for Secure Administration

This section provides guidance for administering the OIM that must be

followed to ensure that OIM remains in the secure state. It is complementary to

the documentation provided in the Oracle guidance documentation for OIM.

K.1 Web Browsing and OIM access

All privileged users should ensure that after performing their tasks, they log off

and close down their browser before browsing to other sites. If access to other

websites is required at the same time as access to OIM administration features,

a different browser should be used (i.e. not Internet Explorer).

K.2 Creating or updating an administrative group within OIM

The administration user creating or updating an administrative group must

ensure that they set read, write and delete permissions for the group that they

create explicitly. The default values should not be relied upon.

K.3 Updating menu items within OIM

Using TOE facilities described in [OIMCG, 8 and 9], the administrator can

customize the menus, by which users access OIM features, by performing

operations such as adding new menu items for groups and renaming existing

menu items.

Administrators must test thoroughly any such customizations that they perform

before making them available to users in a live system. Failure to do this

testing may result in inappropriate access being granted, or features removed

from users where this was not intended.

K.4 Ensuring secure Approval process for OIM Access Policies

When creating access policies, an administrator must ensure that “With

Approval” be selected for a policy where users require management approval

prior to access being permitted (see [OIMAG, 11:CreatingAccessPolicies]. If

the administrator omits to select “With Approval” (the OIM default is

“Without Approval”), then users may get access to resources without the

required authorisation.

Administrators can use the Administrative and User Console to check whether

“With Approval” was selected for a particular policy by viewing the policy as

described in [OIMAG, 11:Managing Access Policies].


Page 109 of 113

K.5 Enabling secure Self-Registration for OIM

Self-registration is configured OFF by default in this guide (see H.6, [OSS.5]).

If self-registration is switched ON (see H.6, [OSS.6] for how), then an approval

task must be defined for the User Registration approval process so that users

have to get approval before being granted OIM user accounts.

Instructions for how to set up a User Registration approval task are

as follows:

[CSR.1] On the Windows Administration Client computer, open IE7.

[CSR.2] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press

<ENTER>.

[CSR.3] The OIM Administrative and User Console logon screen is

displayed in the browser. Login as xelsysadm.

[CSR.5] Navigate to User GroupsCreate.

[CSR.6] Enter Group Name Managers and click Create.

[CSR.7] Navigate to UsersManage. Click Search Users.

Select the users to include in the Managers group and add them using the following steps.

This will be the group authorised to approve Users who self-register.

[CSR.8] Click on the User ID of the user to include.

[CSR.9] Use the “you can view additional details about this

user” drop down and select Group Membership

[CSR.10] Click Assign.

[CSR.11] Check the Managers group and Click Assign Group. Managers group

is assigned to selected user and appears in the table showing the group member

ship for the user.

[CSR.12] Click User Detail to return up menu structure.

[CSR.13] Click Back to Search Results to view the list of users.

Ensure that this group contains the xelsysadm user using the above instructions. Repeat as

necessary for each user to be added to the Managers group.

[CSR.14] Open the Design Console.



14 December 2011

Page 110 of 113

[CSR.15] Navigate to Process ManagementProcess DefinitionQuery.

[CSR.16] In the Process Definition Table click on User Registration

[CSR.17] On the Process Definition Tab, under Tasks double click on Awaiting

Approval Data.

[CSR.18] Click on Required for Completion.

[CSR.19] Click on Assignment tab.

[CSR.20] Click on Add

[CSR.21] Double Click on Rule column and select Default.

[CSR.22] Double Click on Target Type and select Group.

[CSR.23] Double Click on Group and select Managers.

[CSR.24] Click on the Save button.

[CSR.25] Exit Design Console.

Note: other options are possible for selecting who can authorise users who self-

register. This guide provides a straight forward and flexible option. The steps

above that give you other options are [CSR.22] and [CSR.23]. For example,

the options offered by the Design Console at these steps could be used to

configure the manager with the lightest loading as the approving manager. The

key thing for security is that an approval task is configured, not who exactly

performs the approval, or how it is configured.

The Administrator must ensure that either User Registration is OFF, or a

suitable User Registration approval task is configured as above or similar.

Without the latter, should User Registration be switched ON, users will be able

to obtain user accounts on OIM without authorisation .

When Managers approve the a user self-registration, they will need to ensure that the

mandatory field for Organization Name is filled in for the user that they authorise.

Without this the approval will fail with a “missing fields” error. The following steps show

how to complete this:

[CSR.26] Click on Pending Approvals.

[CSR.27] Click on the Request ID to approve, e.g 43.

[CSR.28] Click on Provide User Information.


Page 111 of 113

[CSR.29] Enter the required Organization Name.

[CSR.30] Enter any other information that you wish to specify at this time – e.g.

Manager ID, Start date, provisioning date.

[CSR.31] Click Update. This will authorise the self-registration.

K.6 Configuration for IT Resources

The documents in this section should be used for configuring IT resources. In

particular, used for specifying associated security attributes securely and

correctly.

Each IT Resource configured in OIM will have an associated Connector Guide.

While the generic instructions for creating and managing such IT Resources

can be found in [AUCG, 12.7] and [AUCG, 12.8] respectively, to specify the

settings for connection to the IT resource, additional information will be

required from the associated Connector Guide (e.g. Oracle Database, Oracle

Internet Directory or similar). This information specifies how to configure a

connection to the IT resource such that it can be used by OIM to set up users

and provide access to that resource for them.

[DBCG, 2.6] and [OCG, 2.4.2] explain the details required to complete this

(i.e. step 5 of [AUCG,12.7]) for Oracle Database and Internet Directory IT

resources respectively. For other IT resources, see the associated Connector

Guide under creating and managing resources.

For step by step instructions that can be used as examples for Oracle Database,

and Oracle Internet Directory see steps [CON.14] to [CON.20] and [CON.36] to [CON.42] in sections I.1 and I.2 of this guide. The settings will need to be

adjusted for your particular IT resource and desired configuration.

K.7 Configuration for User Provisioning Requests

By default, users created in OIM are part of the ALL USERS group and any

member of this group can request access to resources. On such a request being

submitted, OIM initiates an approval workflow via the manager specified for

them during user creation (see [AUCG, 8.1 and Table 8.1]. Only when

approval has been granted, will the user be provisioned to the resource.

The menu item for requesting access to resources can be removed either from

the ALL USERS group (and given to an alternative user group for whom it is

intended), or denied to a specific user group. The denial will override the

permission in the ALL USERS group. Either method will disable the group

from requesting access to resources. Menu items for groups are configured

using the instructions in [AUCG, 10.2.3.2]. For more on configuring groups

generally and the concept of user group management, see [AUCG, 10].


14 December 2011

Page 112 of 113

K.8 Directly Provisioning users

The following steps can be used to provision a resource directly to a user as an

administrator without requiring an approval workflow:

[DPU.1] Log on to the Admin and User Console as xelsysadm, or an administrator

with SYSTEM ADMINISTRATOR group membership.

[DPU.2] Click UsersManage, search for user or click search users and

select user to directly provision.

[DPU.3] Under “You can view additional details about this user” select Resource

Profile.

[DPU.4] Select Provision New Resource Button.

[DPU.5] Select Resource to Provision and continue.

[DPU.6] Verify, by clicking continue.

[DPU.7] The screen will refresh and “provisioning has been initiated” will be displayed.

[DPU.8] Click Back to User Resource Profile.

[DPU.9] The screen will show the Resource with a status as Provisioned.

K.9 Granting the admin privilege to directly provision users

This can be achieved in two ways. Firstly, by granting SYSTEM

ADMINISTRATOR group privilege to a user. Secondly, by specifying the

granular privileges to a group for this type of task.

To grant SYSTEM ADMINISTRATOR group membership see [AUCG,

10.2.3.3].

For group privileges for direct provisioning specifically, allocate the

appropriate privileges as instructed via [AUCG, 10.2.3.3 and 10.2.3.6] and add

the required “manage users menu item” to the group using [AUCG, 10.2.3.2].

You can create the group using the existing OIM administrative group for users

and resource objects in [AUCG, 10.2.3.6]; this section also gives you the detail

required to set up a group with custom privileges for direct provisioning only.


Page 113 of 113

Annex L References

[ADG] Oracle Identity Manager Audit Report Developer’s Guide, Release 9.1.0.1,

E14045-03, June 2010.

[AUCG] Oracle Identity Manager Admin and User Console Guide, Release 9.1.0.2,

E14765-02, August 2009.

[CC] Common Criteria for Information Technology Security Evaluation

(Comprising Parts 1-3: [CC1], [CC2], and [CC3]).

[CC1] Common Criteria for Information Technology Security Evaluation Part 1:

Introduction and General Model

CCMB-2005-08-001, Version 2.3, August 2005


Security Functional Requirements



Security Assurance Requirements


[CEM] Common Methodology for Information Technology Security Evaluation Part 2:

Evaluation Methodology


[DBCG] Oracle Identity Manager, Connector Guide for Database User Management,

Release 9.0.4, E10425, July 2009

[ECGDB] Evaluated Configuration for Oracle Database 10g Release 2 (10.2.0), Issue

0.6, November 2007, Oracle Corporation.

[ECGOID] Evaluated Configuration for Oracle Internet Directory 10g (10.1.4.0.1), Issue

0.3, March 2008, Oracle Corporation

[ECGOEL4] CC EAL4+ Evaluated Configuration Guide for Oracle Enterprise Linux 4 U4

and U5, Version 1.3, 23rd

August 2007, Oracle Corporation.

[OCG] Oracle Identity Manager, Connector Guide for Oracle Internet Directory,

Release 9.0.4, E10436-04, December 2008

[ST] Security Target for Oracle Identity Manager 10g (9.1.0.2), Issue 0.9