Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Evaluation of Oracle Identity Manager
Evaluated Configuration Guide for Oracle Identity
Manager 10g (9.1.0.2)
Issue : 1.0
Date : 14 December 2011
Status : Definitive
Distribution : OIM Evaluation Team
Prepared by : Hugh Griffin, Mike McCormack
.......................................
Reviewed by : Hugh Griffin
.......................................
Authorised by : Petra Manche
.......................................
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 2 of 113
========================================================
Evaluated Configuration Guide for Oracle Identity Manager 10g (9.1.0.2)
December 2012
Author: Hugh Griffin
Contributor: Mike McCormack
Copyright © 2011, Oracle Corporation. All rights reserved. This documentation contains
proprietary information of Oracle Corporation; it is protected by copyright law. Reverse
engineering of the software is prohibited. If this documentation is delivered to a U.S.
Government Agency of the Department of Defense, then it is delivered with Restricted Rights
and the following legend is applicable:
RESTRICTED RIGHTS LEGEND
Use, duplication or disclosure by the Government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of DFARS 252.227-7013, Rights in Technical Data and Computer
Software (October 1988).
Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.
The information in this document is subject to change without notice. If you find any problems
in the documentation, please report them to us in writing.
Oracle Corporation does not warrant that this document is error free.
Oracle is a registered trademark and Oracle Business Intelligence 10g are trademarks or
registered trademarks of Oracle Corporation. Other names may be trademarks of their
respective owners.
========================================================
Document History
Version Date Notes
0.1 March 2011 Initial formal release
0.2 June 2011 Release after re-install
0.3 November 2011 Post-evaluation updates
1.0 December 2011 Minor formatting updates
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 3 of 113
Table Of Contents
1 Introduction ........................................................................................................ 6 1.1 Purpose ........................................................................................................................... 6 1.2 Intended Audience .......................................................................................................... 6 1.3 Evaluated Configuration Guide Overview ....................................................................... 6 1.4 Document Structure ........................................................................................................ 7 1.5 Format ............................................................................................................................. 8
2 Preparation ......................................................................................................... 9 2.1 Machine Configuration .................................................................................................... 9 2.2 Physical Environmental Assumptions ...........................................................................11 2.3 Electronic Delivery of the TOE ......................................................................................11 2.4 Physical Delivery of the TOE ........................................................................................12
3 Installation ........................................................................................................ 14 3.1 Oracle Identity Management Installation Order ............................................................14 3.2 Start up and Shutdown procedure ................................................................................15
Annex A TOE Components ............................................................................................. 16 A.1 Oracle Identity Management Server .............................................................................16 A.2 Supporting components for TOE testing ......................................................................16
Annex B Server Start up and Shutdown Procedures .................................................... 17 B.1 Start order .....................................................................................................................17 B.2 OIM Server ....................................................................................................................17 B.3 Database Server ...........................................................................................................18 B.4 Internet Directory Server ...............................................................................................19
Annex C Install Red Hat Linux 4 Update 5 x86_64 for OIM server ............................... 20 C.1 Install the Operating System .........................................................................................20 C.2 Patch the Operating System .........................................................................................20 C.3 Configure the Operating System ..................................................................................20 C.4 Install Java ....................................................................................................................22
Annex D OIM Server Installation .................................................................................... 23 D.1 Install the Oracle Application Server.............................................................................23 D.2 Upgrade the Oracle Application Server ........................................................................25 D.3 Create OC4J Instance for OIM .....................................................................................26 D.4 Apply Oracle Application Server CPU Patch ................................................................27 D.5 Configure RMI Settings .................................................................................................28 D.6 Install Oracle Database for OIM ...................................................................................28 D.7 Install Oracle Database Patchset .................................................................................30 D.8 Create Listener for OIM Database ................................................................................31 D.9 Create Database Instance for OIM Database ..............................................................31 D.10 Prepare Database Instance for OIM Installation ...........................................................33 D.11 Install Oracle Identity Manager .....................................................................................34 D.12 Upgrade OIM from 9.1.0.1 to 9.1.0.2 ............................................................................36 D.13 Post OIM Installation Configuration ..............................................................................40
Annex E Install Identity Management & Metadata Repository on OID Server ............. 43 E.1 Install the Operating System .........................................................................................43 E.2 Patch the Operating System .........................................................................................43 E.3 Configure the Operating System ..................................................................................43 E.4 Install the Identity Management & Metadata Repository ..............................................45
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 4 of 113
E.5 Configure the OID Infrastructure ...................................................................................47
Annex F Oracle Database Server ................................................................................... 52 F.1 Install the Operating System .........................................................................................52 F.2 Patch the Operating System .........................................................................................52 F.3 Configure the Operating System ..................................................................................52 F.4 Install the Oracle Database Server ...............................................................................54 F.5 Create Listener for odb Database .................................................................................56 F.6 Create a Database Instance .........................................................................................57 F.7 Secure Database ..........................................................................................................59
Annex G Recommendations for OIM Secure Audit Administration ............................. 61
Annex H Perform Hardening of the TOE and Environment .......................................... 67 H.1 Administration Client Configuration ..............................................................................67 H.2 User Client Configuration ..............................................................................................68 H.3 Configure SSL for User and Admin Console ................................................................68 H.4 Install the Design Console with SSL enabled ...............................................................72 H.5 Enable the Firewall .......................................................................................................76 H.6 Configure OIM Security settings ...................................................................................77 H.7 Configure OIM Password policy ...................................................................................78 H.8 Configure Attestation Scheduled task...........................................................................81
Annex I Oracle Identity Management Connectors ....................................................... 83 I.1 Install the Database Connector ....................................................................................83 I.2 Install the Oracle Internet Directory Connector ............................................................87
Annex J Configure Database and Internet Directory Connectors ............................... 91 J.1 Database Connector Configuration ..............................................................................91 J.2 Configure Database Provisioning Test data .................................................................91 J.3 Oracle Internet Directory Connector Configuration ....................................................102
Annex K Guidance for Secure Administration ............................................................ 108 K.1 Web Browsing and OIM access ..................................................................................108 K.2 Creating or updating an administrative group within OIM...........................................108 K.3 Updating menu items within OIM ................................................................................108 K.4 Ensuring secure Approval process for OIM Access Policies .....................................108 K.5 Enabling secure Self-Registration for OIM .................................................................109 K.6 Configuration for IT Resources ...................................................................................111 K.7 Configuration for User Provisioning Requests ............................................................111 K.8 Directly Provisioning users .........................................................................................112 K.9 Granting the admin privilege to directly provision users .............................................112
Annex L References ...................................................................................................... 113
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 5 of 113
Abbreviations
CC Common Criteria
CEM Common Evaluation Methodology
CI Configuration Item
EAL Evaluation Assurance Level
ECG Evaluated Configuration Guide
ETR Evaluation Technical Report
ISO International Standards Organisation
IT Information Technology
OR Observation Report
OSP Organisational Security Policy
PP Protection Profile
SAR Security Assurance Requirement
SFP Security Function Policy
SFR Security Functional Requirement
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functionality
TSFI TSF Interface
URL Universal Resource Locator
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 6 of 113
1 Introduction
1.1 Purpose
This document is the Evaluated Configuration Guide (ECG) for Oracle Identity
Manager 10g (9.1.0.2).
Title: Evaluated Configuration Guide for Oracle Identity Manager 10g
(9.1.0.2)
Target of Evaluation (TOE): Oracle Identity Manager 10g (9.1.0.2)
Release: 9.1.0.2
Connectors: Oracle Database User Management Connector – 9.0.4.5;
Oracle Internet Directory Connector – 9.0.4.5.
The connectors are installed as part of Oracle Identity Manager
10g (9.1.0.2) and as such are part of the TOE.
Operating System Platform: Red Hat Enterprise Linux AS Version 4
Update 5
Database Platform: Oracle Database Management System 10g (10.2.0.2.0)
Application Server Platform: OracleAS 10gR2 (10.1.3.3.0)
Keywords: Oracle Identity Manager, EAL4.
1.2 Intended Audience
The intended audience for this document includes evaluators of the TOE,
system integrators who will be integrating the TOE into IT systems, and
Accreditors of the systems into which the TOE has been integrated.
1.3 Evaluated Configuration Guide Overview
This document explains the manner in which the TOE must be configured
along with the host operating system so as to provide the security functionality
and assurance as required under the Common Criteria for Information
Technology Security Evaluation [CC].
The TOE is hosted on Red Hat Enterprise Linux AS Version 4 Update 5
operating system platform and uses Oracle Application Server 10g Release 2
(10.1.3.3.0) as a container platform.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 7 of 113
The assumptions and procedures stated in the document are intended to remove
potential vulnerabilities or attack paths from the TOE in its environment. They
do not have any impact on the correct implementation of the TOE’s SFs.
The Evaluation Assurance Level for the TOE is EAL4. The Security Target
used for the evaluation of the TOE is [ST], which also provides an overview of
the TOE.
1.4 Document Structure
This ECG is divided into 5 sections and 12 Annexes, as follows:
Section 1 (this section) provides an introduction to the ECG.
Section 2 provides the preparatory actions to be undertaken before
installing the software for the evaluated configuration.
Section 3 provides the installation of the software for the Oracle Identity
Manager in the evaluated configuration.
Section 4 provides the post-installation actions to start and stop the
evaluated configuration.
Section 5 provides the supporting procedures to ensure that the TOE is
operated in a way that upholds the security objectives defined in [ST].
Annex A provides the list of components in servers required to install
and run the TOE.
Annex B provides the start up and shutdown procedures for the OIM
evaluated configuration.
Annex C provides steps needed to create an installation of Red Hat
Enterprise Linux AS Version 4 Update 5 on an OIM server machine.
Annex D provides the steps needed to install Oracle Application Server
and Oracle Identity Management for use on the OIM server machine in
the evaluated configuration.
Annex E provides the steps needed to install Oracle Internet Directory for
use on the OID server machine in the evaluated configuration.
Annex F provides the steps needed to install an Oracle Database for use
on the Database server machine in the evaluated configuration.
Annex G provides recommendations for secure administration of audit in
OIM in the evaluated configuration.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 8 of 113
Annex H provides the steps needed to harden OIM and Red Hat
Enterprise Linux AS Version 4 Update 5 for all server machines in the
evaluated configuration.
Annex I provides the steps needed to install and configure the DB and
OID Connectors for the OIM Server machine in the evaluated
configuration.
Annex J provides the steps needed to configure the Database and Internet
Directory Connectors for provisioning, reconciliation and attestation.
These are the examples used for evaluator testing.
Annex K provides additional guidance for secure administration of OIM.
This must be followed to maintain OIM in a secure state.
Annex L provides the list of documents that are referenced within this
guide, e.g. the Oracle Identity Management Security Target – [ST].
1.5 Format
Assertions for the physical, host, and Oracle configurations are given
identifiers to the left of each evaluation configuration requirement in bold Arial
font, e.g. [A-1] or a number to show the step, e.g. 1.
Mandatory evaluation configuration requirements use the words “must” and/or
“shall” in each assertion.
Strongly recommended evaluation configuration requirements use the words
“should” in each assertion.
Commands typed from the Linux Command line for formatted in Courier
New. For example, oracle> mkdir oracle
Instructions regarding the use of a GUI are formatted using Times New Roman
(i.e the default font for this document). The screen name will be identified
using Courier New.
References to sections of documents listed in Annex L are in the format
[document, section].
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 9 of 113
2 Preparation
This part of the ECG provides the preparatory actions to be undertaken before
installing the software for the evaluated configuration of Oracle Identity
Management (OIM).
2.1 Machine Configuration
In the configuration used for the evaluation testing of Oracle Identity Manager
10g (9.1.0.2), the OIM Server was installed on a DELL Rack Mounted Server,
which also hosted 2 virtual machines. Of the 2 virtual machines, 1 is a database
server and the other a directory server. This enabled testing of the TOE
provisioning to a database and reconciliation with a directory.
It is recommended that a production configuration of Oracle Identity
Management (9.1.0.2) be used on physically separate servers.
The virtual machines allocated for the installation of the TOE during the
evaluation were:
Machines db and oid
Specification Hosted on:
Dell PowerEdge 1950 – A Dual-Core Intel
Xeon 5300 sequence processors (2.33GHz)
4GB RAM
Red Hat Linux 4 Update 5 x86_64
Products to be installed As per Annex A of this document.
Table 2.1: Virtual Configuration of machines supporting the TOE
The TOE was installed without virtualisation on the above platform and
designated oim.
In addition, two client machines are required as follows:
DC Client: this is a Windows XP administration client with IE7 installed on it
for installing the OID and database connectors on the OIM Server. Version
9.1.0.1865.28 of the OIM Design Console is also installed on this, and patched
from the OIM 9.1.0.2 patch as specified in [DCIG, 3.4].
User Client: this is a Windows XP client machine also with IE7.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 10 of 113
The list below gives a high level overview of which key components are
installed where and their purpose.
Machine 1 – oim
Hostname: oim.oim-test.com
IP address: 172.20.16.139. subnet mask: 255.255.240.0
Operating System: Red Hat Enterprise Linux 4 Update 5
Installed Components:
Oracle Application Server 10g (10.1.3.3.0)
Oracle Database 10g (10.2.0.2.0)
Oracle Identity Manager 10g (9.1.0.2) – instance of TOE
Database User Management Connector (9.0.4.5) – part of TOE
Oracle Internet Directory Connector (9.0.4.5) – part of TOE
Machine 2 – db
Hostname: odb.sme1.com
IP address: 172.20.18.210 subnet mask: 255.255.240.0
Operating System: Red Hat Enterprise Linux 4 Update 5
Installed Components:
Oracle Database 10g (10.2.0.1.0)
Machine 3 – oid
Hostname: oid.sme1.com
IP address: 172.20.18.211 subnet mask: 255.255.240.0
Operating System: Red Hat Enterprise Linux 4 Update 5
Installed Components:
Oracle Internet Directory 10g (10.1.4.0.1)
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 11 of 113
2.2 Physical Environmental Assumptions
This section describes physical requirements on the server machine so that the
security of the TOE can be maintained.
[IM.A-1] The processing resources of the TOE shall be located within controlled access
facilities which will prevent unauthorised physical access to the TOE by
unprivileged users. Only authorised administrators for the system hosting the
TOE shall have physical access to that system. Such administrators include the
Operating System Administrators, Access and Identity Master Administrators,
OID Directory Administrators and Database Administrators.
[IM.A-2] The media on which the TOE audit data resides shall not be physically
removable from the underlying operating system by unauthorised users.
[IM.A-3] Any on-line and/or off-line storage media on which security relevant data
resides shall be located within controlled access facilities which will prevent
unauthorised physical access.
2.3 Electronic Delivery of the TOE
To receive electronic delivery of OIM, complete the following steps:
1. If you do not always have a SHA-1 file hash tool, download an
appropriate SHA-1 tool to verify SHA-1 checksums. SHA-1 tools are
available for any platform.
2. Access the Oracle E-Delivery website at: https://edelivery.oracle.com
3. (Optional) Choose a language preference.
4. Check Continue.
5. Enter your user information and click the checkboxes to agree to the
license terms and export restrictions, then click Continue.
6. Select Oracle Oracle BEA in the Product Pack field, then select Linux
x86-64 or Linux x86 from OS platform from the drop-down list.
7. Select Oracle Application Server 10g Release 3 (10.1.3) Media Pack for
Linux x86 Part number B36233-39 from the results list, then click
Continue.
8. Select the following from the list
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 12 of 113
Oracle Identity Management Infrastructure and Oracle Identity
Federation (10.1.4.0.1) for Linux x86 (CD 1 of 2) part number
B30971-01
Oracle Identity Management Infrastructure and Oracle Identity
Federation (10.1.4.0.1) for Linux x86 (CD 2 of 2) part number
B30972-01
9. Click the View Digest button. A popup window displays with all
available checksum values (both MD5 and SHA-1). Note that you
should only use the SHA-1 checksum for verification. Take a note of
the SHA-1 checksum value provided for the desired download
(depending on your OS platform).
10. Make sure that the certificate associated with the web page that displays
the digest is signed by a trusted CA. If your browser does not display
any error message regarding the certificate, than it is signed by a trusted
CA already known to the browser (here: Verisign). You can check this
by moving the house pointer over the secure session system (lock) in
the browser.
11. In case of verification errors, the displayed digest cannot be trusted.
12. Close the View Digest popup window.
13. Click the Download button for the desired download (depending on
your OS platform) and save the selected .zip file to the desired disk
location.
14. Verify that the checksum for your download matches the checksum
shown on the Oracle download page.
To obtain the correct version of the Connectors, raise an SR on
https://support.oracle.com/ and ask for a URL for V17360-01 – Oracle®
Identity Manager Connectors, or request the Database and OID Connector
from this media.
2.4 Physical Delivery of the TOE
To request the media pack:
1. Go to www.oracle.com and select Shop Online.
2. Choose the appropriate store and select Application Server.
3. Select Identity Management Infrastructure and Oracle Identity
Management (9.1.0.2) and choose your licensing terms.
4. Select ‘Purchase Media Packs’.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 13 of 113
5. Select Linux x86.
6. Select Oracle Identity Management Infrastructure and Oracle Identity
Management (9.1.0.2) for Linux x86 Media Pack for Linux x86 (32 bit).
When the media pack arrives the relevant CDs / DVDs are:
V17360-01 – Oracle® Identity Manager Connectors
B30972-01 – Oracle® Identity Management Infrastructure and Oracle Identity
Federation (10.1.4.0.1) for Linux x86.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 14 of 113
3 Installation
This chapter describes the installation of the software for the evaluated
configuration.
Many of the instructions are performed on the command line. They will need to
be performed as the user denoted e.g. root>.
When switching users at the command line always use the argument ‘-', for
example su - orainfra to ensure the users’ environment such as
$ORACLE_HOME is set correctly.
Throughout this document example hostnames are used (for example,
odb.sme1.com). When updating these to reflect the end customer
infrastructure, care must be taken that they are changed consistently. It is
recommended that a log book is used during the installation to note these
down. The full list of passwords and passphrases against different usernames
should also be compiled during installation. When installation is complete, this
should be stored in a secure location for use in an emergency.
The port numbers referenced in this document are the defaults used during the
install process but as this can be affected by port availability during the
installation process, ensure to always check the ports being used. This can be
done by checking the ports configured at install time by looking at
$ORACLE_HOME/install/portlist.ini or checked by running
netstat -ltpn as root at any time
As SSL is used within the TOE some steps require signed certificates. Either an
internal Certification Authority (CA) can used or certificate signing requests
will need to be sent to a commercial CA for signing. The former was used
during the evaluation for convenience.
3.1 Oracle Identity Management Installation Order
In order to install an instance of an Oracle Identity Management (OIM) server
in the evaluated configuration the steps in the following Annexes should be
followed in the order given below:
Red Hat Enterprise Linux AS Version 4 Update 5 shall be installed as
described in Annex C and [ECGOEL4] for all OIM server machines to be set
up in the evaluated configuration.
Annex D describes the steps needed to install OIM Server.
Annex E describes the steps needed to install an OID Server for use as a trusted
source for OIM reconciliation.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 15 of 113
Annex F describes the steps needed to install an Oracle Database Server for
provisioning by OIM.
Annex G describes how to configure the OIM auditing functionality securely.
Annex H describes the steps needed to harden OIM, clients and the Red Hat
Enterprise Linux AS Version 4 Update 5 for security.
Annex I describes the steps needed to install the Database and Internet
Directory Connectors.
Annex J describes how to configure the OIM Database and Internet Directory
Connectors for provisioning, reconciliation and attestation. This was the
foundation set up for evaluator testing. As such, the instructions in this Annex
are a resource for configuring OIM and the connectors, however they are not
normative or required for secure configuration.
3.2 Start up and Shutdown procedure
This is provided in Annex B. This should not be attempted until all steps for at
least one Oracle Identity Management with Connectors, Oracle Database and
Oracle Internet Directory instance have been completed.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 16 of 113
Annex A TOE Components
A.1 Oracle Identity Management Server
A.1.1 Oracle Application Server for Oracle Identity Manager
OracleAS 10gR2 10.1.3.1.0 is the base, on which is installed Patches 668525,
5389650 and 6454278 to take it to OracleAS 10gR2 10.1.3.3.0.
A.1.2 Oracle Database for Oracle Identity Manager
Oracle Database 10.2.0.1.0 is the base.
Upgrade of Oracle Database to 10.2.0.2.0 via Patch 4547817
A.1.3 Oracle Identity Manager
Oracle Identity Manager 9.1.0.1
Upgrade of Oracle Identity Manager to 9.1.0.2 via Patch 8484010
A.1.4 Oracle Connector Pack for Oracle Database
Oracle Identity Manager Connector Pack 9.0.4.5
A.1.5 Oracle Connector Pack for Oracle Internet Directory
Oracle Identity Manager Connector Pack 9.0.4.5
A.2 Supporting components for TOE testing
A.2.1 Oracle Database Server
Oracle Database 10.2.0.1.0
A.2.2 Oracle Internet Directory
Oracle Internet Directory 10.1.4.0.1
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 17 of 113
Annex B Server Start up and Shutdown Procedures
This Annex describes the post-installation actions to start and stop the OIM
Server in the evaluated configuration.
B.1 Start order
The evaluators test configuration should be started in the following order:
OIM Server
DB Server
OID Server
B.2 OIM Server
B.2.1 Start Up
Run the following commands from root on the OIM server to be started:
# su - oracle
$ lsnrctl start
$ sqlplus / as sysdba
SQL> startup
SQL> quit
$ opmnctl startall
Start a web browser on a Windows client machine configured
as specified in Annex H.1 and access the following URL:
https://oim.oim-test.com:4446/xlWebApp/
Security note:
All privileged users should ensure that after performing their tasks, they log off and close down their browser before browsing to other sites. If access to other websites is required at the same time as access to OIM administration features, a different browser should be used (i.e. not Internet Explorer).
B.2.2 Shutdown
Run the following commands from root on the OIM server to be shutdown:
# su - oracle
$ opmnctl stopall
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 18 of 113
$ sqlplus / as sysdba
SQL> shutdown immediate
SQL> quit
$ lsnrctl stop
B.3 Database Server
B.3.1 Start Up
Run the following commands from root on the Database server to be started:
# su - oradb
$ lsnrctl start
$ sqlplus / as sysdba
SQL> startup
SQL> quit
B.3.2 Shutdown
Run the following commands from root on the Database server to be
shutdown:
# su - oradb
$ sqlplus / as sysdba
SQL> shutdown immediate
SQL> quit
$ lsnrctl stop
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 19 of 113
B.4 Internet Directory Server
B.4.1 Start Up
Run the following commands from root on the Oracle Internet Directory
server to be started:
# su - orainfra
$ lsnrctl start
$ sqlplus / as sysdba
SQL> startup
SQL> quit
$ opmnctl startall
$ emctl start iasconsole
$ emctl start dbconsole
B.4.2 Shutdown
Run the following commands from root on the Oracle Internet Directory server
to be shutdown:
# su - orainfra
$ opmnctl stopall
$ emctl stop iasconsole
$ emctl stop dbconsole
$ sqlplus / as sysdba
SQL> shutdown immediate
SQL> quit
$ lsnrctl stop
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 20 of 113
Annex C Install Red Hat Linux 4 Update 5 x86_64 for OIM server
This annex describes the steps required to install the evaluated configuration of
Oracle Enterprise Linux 4 Update 5 x86_64 for the OIM server. [ECGOEL4]
may be read for general guidance when installing Oracle Enterprise Linux.
C.1 Install the Operating System
Perform a standard Red Hat Enterprise Linux Advanced Server 4 update 5
installation bearing in mind the following settings:
Use automatic partitioning
Configure the network configured as required, e.g. eth0
172.20.16.139/255.255.240.0
Set the firewall to disabled (Note: this will be enabled)
Set the SELinux setting to ‘Warn’
Customise software packages to be installed:
development->development tools
system->system tools; plus systat.
Graphical internet->unselect all except for firefox
For the user account, create a user called oracle.
C.2 Patch the Operating System
Apply the latest Operating System security patches available via the Red Hat
network.
C.3 Configure the Operating System
[WOS.1] Load up a Terminal and as root perform some system configuration:
Setup the host file if DNS is not being used by adding the following lines with
IP addresses and hostnames to match the infrastructures conventions, e.g.:
172.20.18.201 oim.sme1.com oim
172.20.18.203 odb.sme1.com odb
172.20.18.210 oid.sme1.com oid
[WOS.2] Create the required operating system groups as root:
# groupadd oracle
# groupadd dba
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 21 of 113
[WOS.3] Add oracle to the oracle group:
root> usermod -g oracle –G dba oracle
[WOS.4] Create the directory /u01 to install the oracle software under and set the
ownership:
root> mkdir –p /u01/oracle
root> chown –R oracle:oracle /u01
root> chmod 770 /u01/oracle
[WOS.5] Setup kernel parameters, check parameters below and add following as
required to /etc/sysctl.conf:
# OIM ECG Changes
kernel.msgmnb=65535
kernel.msgmni=2878
kernel.msgmax=8192
kernel.shmall=2097152
kernel.shmmax=2147483648
kernel.shmmni=4096
kernel.sem=256 32000 100 142
fs.file-max=131072
net.ipv4.ip_local_port_range=1024 65000
net.core.rmem_default=262144
net.core.rmem_max=262144
net.core.wmem_default=262144
net.core.wmem_max=262144
[WOS.6] Load new kernel parameters:
root> sysctl –p
[WOS.7] Create the directories for the installation media:
oracle> mkdir –p /space/src/oracle/AppServer
oracle> cd /space/src/oracle
oracle> mkdir –p Database
oracle> mkdir –p OIM9100
oracle> mkdir –p Connectors
oracle> mkdir –p Patches
oracle> chown –R oracle:oracle /space/src/oracle/*
[WOS.8] Unzip the installation media obtained using either 2.3 or 2.4, and patches as
specified in Annex A above for the Oracle Application Server, Database, OIM,
Connectors and Patches into the respective directories created above.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 22 of 113
C.4 Install Java
The actions [WOS.10] to [WOS.11] listed in this section are required to
install Java for the OIM server before the installation of OIM server machine(s)
can be carried out.
Java is required to configure aspects of OIM as a browser based Java applet is
used.
[WOS.10] Download the latest version of Java JRE for Linux from java.com, e.g. jre-
6u21-linux-i586-rpm.bin
[WOS.11] Start Installer:
root> cp <path-to-java-installation-media>/jre-6u21-linux-
i586-rpm.bin ~
root> cd ~
root> chmod +x jre-6u21-linux-i586-rpm.bin
root> ./jre-6u21-linux-i586-rpm.bin
root> cd /usr/lib/firefox-1.5.0.10/plugins/
root> ln -s /usr/java/jre1.6.0_21/plugin/i386/ns7/
libjavaplugin_oji.so
Note: The firefox directory name referenced above may vary slightly
depending on the version installed.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 23 of 113
Annex D OIM Server Installation
D.1 Install the Oracle Application Server
This step installs the Oracle Application Server Infrastructure (OracleAS)
including an instance of Oracle Database which will be used to store Oracle
Access Manager configuration data and also user details. Note: The
OracleAS installation also includes OHS and OC4J. Oracle Identity
Management in installed on OracleAS.
D.1.1 Installation Steps
[OAS.1] As oracle run the Application Server Installer: su - oracle
oracle> cd /space/src/oracle/AppServer
oracle> ./runInstaller
[OAS.2] On the Oracle Application Server SOA Suite 10.1.3.1.0
Installation screen:
Click->Advanced Install radio button
Select->Next
Select->Yes
[OAS.3] On the Specify Inventory Directory and Credentials
screen:
Change the path to /u01/oracle/inventory
Specify the Operating System group name as oracle
Select->Next
[OAS.4] A pop up screen appears containing instructions to run a script as a root user in
/u01/oracle/inventory. Using the open terminal type: oracle> su - root
# cd /u01/oracle/inventory
# ./orainstRoot.sh
# cd /u01/
# chown –R oracle:oracle OraInventory
When this has completed successfully, return to the pop up screen and
Select->Continue
[OAS.5] On the Select Installation Type screen:
Select->J2EE Server and Web Server
Select->Next
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 24 of 113
[OAS.6] On the Prerequisite Checks screen all checks should succeed. On
completion:
Select->Next
[OAS.7] On the Port Configuration Options screen accept the default of
Automatic port configuration and then
Select->Next
[OAS.8] On the Administration Settings screen enter the following values:
AS Instance Name->AS1
AS Administrator->oc4jadmin
AS Administrator Password->enter a secure password: should be at least 6
characters and not be a dictionary word, be alpha-numeric and have at least
one number, capital letter; optionally one special character from the
following: $, _, #
Check->box marked Configure this as an Administration
OC4J instance.
OC4J Instance Name->oc4j_home
Select->Next
[OAS.9] On the Cluster Topology Configuration screen
Select->Next
[OAS.10] On the Summary screen
Select->Install
[OAS.10] On the Installation screen
The product is installed. This will take some time. Progress is marked by a
status bar showing % complete.
[OAS.11] Part way through a pop up screen appears containing instructions to run a
configuration script as a root user in
/u01/oracle/product/10.1.3.1/OracleAS_1.
Using the open terminal type: # cd /u01/oracle/product/10.1.3.1/OracleAS_1
# ./root.sh
When this has completed successfully, return to the pop up screen and
Select->OK
The installation completes.
[OAS.10] On the Configuration Assistants screen , each configuration step is
run with the status displayed. This may take some time to complete.
Select->Next when complete.
[OAS.11] On the End Of Installation screen:
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 25 of 113
Note down the URL of the Oracle Application 10g Server welcome screen: e.g.
http://oim.oim-test.com:7777/
Select-> Exit
D.2 Upgrade the Oracle Application Server
This upgrades the Oracle Application Server to 10.1.3.3.0.
D.2.1 Installation Steps
[UAS.1] As oracle run the OAS 10.1.3.3.0 Patch Installer: su - oracle
oracle> cd /space/src/oracle/Patches/p6148874/Disk1
oracle> ./runInstaller
[UAS.2] On the Welcome screen:
Select-> Next
[UAS.3] On the Specify file locations screen:
Source->/space/src/oracle/Patches/p61488874/Disk1/stage/products.xml
Destination name->oracleas1
Destination -> /u01/oracle/product/10.1.3.1/OracleAS_1
Select-> Next
[UAS.4] On the Administrator (oc4jadmin)Password screen:
Enter the oc4jadmin password as specified at [OAS.8]. Select-> Next
[UAS.5] On the Installation Summary screen
Select->Install
[UAS.6] On the Install screen
The patch is installed. This will take some time. Progress is marked by a status
bar showing % complete.
[UAS.7] Part way through a set up privileges pop up screen appears containing
instructions to run a configuration script as a root user in
/u01/oracle/product/10.1.3.1/OracleAS_1.
Using the open terminal type: # su - root
# cd /u01/oracle/product/10.1.3.1/OracleAS_1
# ./root.sh
# exit
When this has completed successfully, return to the pop up screen and
Select->OK
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 26 of 113
The installation completes.
[UAS.8] On the Configuration Assistants screen , each configuration step is
run with the status displayed. This may take some time to complete.
Select->Next when complete.
[UAS.9] On the End Of Installation screen:
Select-> Exit
D.3 Create OC4J Instance for OIM
This creates an OC4J instance in which OIM will be able to run.
D.3.1 Installation Steps
[OC4J.1] From the Linux menu open the firefox web browser. Enter
http://host.domain.com:7777/em (e.g. http://oim.oim-test.com:7777/em).
Log on to the Enterprise Manager using oc4jadmin and the administrator
password as specified at [OAS.8].
[OC4J.2] Click on the Application Server name (AS1).
Click on the Create OC4J Instance button.
[OC4J.3] Enter the OC4J instance name (oc4j_oim). Select the Add to a new
group with name radio button.
Enter the group name – oim_group
Also, tick the Start this OC4J instance after creation box.
[OC4J.4] Click on Create button.
Completion is confirmed and you can logout.
[OC4J.5] Using the open terminal, run the following commands:
oracle> cd ~
oracle> nano ./.bash_profile
enter the following:
export ORACLE_HOME=/u01/oracle/product/10.1.3.1/OracleAS_1
export OAS_HOME=/u01/oracle/product/10.1.3.1/OracleAS_1
export JAVA_HOME=$OAS_HOME/jdk
export PATH=$JAVA_HOME/bin:$OAS_HOME/opmn/bin:$PATH
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 27 of 113
Ctrl O
Ctrl X
oracle> .bash_profile
D.4 Apply Oracle Application Server CPU Patch
This patches the Oracle Application Server to 10.1.3.3.0.
D.4.1 Installation Steps
[PAS.1] First, update the opatch utility to the latest version. You can find this on the
Oracle support web site by searching for Patch 6880880 and downloading the
most recent versions for a Linux platform. At the time of writing OPatch 10.1
for 9i was used and OPatch 10.2.
Technical note 283367.1 provides the background understanding you need to
manage opatch. For information about how to download the most recent
version see note 224346.1.
When you have downloaded the most recent opatch, copy the .zip file to /space/src/oracle/Patches/
As oracle in the terminal window perform the following commands: oracle> opmnctl stopall
oracle> mv OPatch OPatch_original
oracle> unzip
/space/src/oracle/Patches/p6880880_101000_LINUX.zip –d $OAS_HOME
oracle> mv OPatch OPatch_10.1
oracle> unzip
/space/src/oracle/Patches/p6880880_102000_LINUX.zip –d $OAS_HOME
oracle> mv OPatch OPatch_10.2
Installation has been done when the unzipping has completed.
You can confirm the version of opatch installed using: oracle> $OAS_HOME/OPatch_10.x/opatch version
where x is 1 for the 10.1 directory and 2 for the 10.2
directory.
[PAS.2] Continue in the terminal window: Oracle> cd $OAS_HOME
oracle> cd ../6685235
oracle> $ORACLE_HOME/OPatch_10.1/opatch apply
oracle> cd ../5389650
oracle> $ORACLE_HOME/OPatch_10.1/opatch apply
oracle> cd ../6454278
oracle> $ORACLE_HOME/OPatch_10.1/opatch apply
During the above patch applications the questions raised by the installers
should be answered.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 28 of 113
D.5 Configure RMI Settings
This configures the RMI .xml file and restarts the application server.
D.5.1 Installation Steps
[CRS.1] As oracle in the terminal window run the following: oracle> nano $OAS_HOME/j2ee/oc4j_oim/config/rmi.xml
locate “<rmi-server” tag
add the following line:
max-server-sockets=”200”
Ctrl-O
Ctrl-X to save and close
oracle> nano $OAS_HOME/opmn/conf/opmn.xml
locate “oc4j_oim” text
scroll down 14 lines or so to locate the line containing:
“<port id=”rmi” range=”12401-12500”/>
replace this line with:
<port id=”rmi” range=”12408”/>
Ctrl-O
Ctrl-X to save and close
oracle> opmnctl startall
D.6 Install Oracle Database for OIM
This creates a Database instance that OIM will use as its data repository.
D.6.1 Installation Steps
[DB.1] As oracle run the database 10.2.0.1.0 Installer: su - oracle
oracle> cd /space/src/oracle/Database/database
oracle> ./runInstaller
[DB.2] On the Select Installation Method screen:
The entries on this screen should be filled out as follows:
Oracle Home Installation->/u01/oracle/product/10.1.3.1/OracleAS_1
Installation Type-> Enterprise Edition 1.3GB
UNIX DBA Group-> oracle
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 29 of 113
Create Starter Database (additional 72M)->checked
Global Database Name: oracle
Database Password: enter a secure password: should be at least 6 characters
and not be a dictionary word, be alpha-numeric and have at least one number,
capital letter; optionally one special character from the following: $, _, #
Confirm Password: as previous
Select “Advanced Installation”
Select->Next
[DB.3] On the Select Installation Type screen:
Select->Enterprise Edition (1.26GB)
Select->Next
[DB.4] On the Specify Home Details screen enter:
Name->oimdb
Path->/u01/oracle/product/10.1.3.1/Database
Select->Next
[DB.5] On the Product Specific Prerequisite Checks screen all
checks should succeed. On completion:
Select->Next
[DB.6] On the Select Configuration Option screen:
Select->Install database Software only
Select->Next
[DB.7] On the Privilege Operating System Group screen, ensure that the
entries are as follows:
Database Administrator Group->oracle
Database Operator Group->oracle
Select->Next
[DB.8] On the Summary screen
Select->Install
[DB.9] On the Installation screen
The product is installed. This will take some time. Progress is marked by a
status bar showing % complete.
[DB.10] Part way through a pop up screen appears containing instructions to run a
configuration script as a root user in
/u01/oracle/product/10.1.3.1/Database/.
Using the open terminal type: # cd /u01/oracle/product/10.1.3.1/Database
# ./root.sh
When this has completed successfully, return to the pop up screen and
Select->OK
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 30 of 113
The installation completes.
[DB.11] On the End Of Installation screen:
Select->Exit
D.7 Install Oracle Database Patchset
This upgrades the Database instance to 10.2.0.2.0.
D.7.1 Installation Steps
[UDB.1] As oracle run the database 10.2.0.2.0 Installer: su - oracle
oracle> cd /space/src/oracle/Patches/p4547817
oracle> ./runInstaller
[UDB.2] On the Welcome screen:
Select-> Next
[UDB.3] On the Specify Home Details screen enter:
Name->oimdb
Path->/u01/oracle/product/10.1.3.1/Database
Select->Next
[UDB.4] On the Summary screen
Select->Install
[UDB.5] On the Installation screen
The product is installed. This will take some time. Progress is marked by a
status bar showing % complete.
[UDB.6] Part way through a pop up screen appears containing instructions to run a
configuration script as a root user in
/u01/oracle/product/10.1.3.1/Database/.
Using the open terminal type: # cd /u01/oracle/product/10.1.3.1/Database
# ./root.sh
When this has completed successfully, return to the pop up screen and
Select->OK
The installation completes.
[UDB.7] On the End Of Installation screen:
Select->Exit
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 31 of 113
D.8 Create Listener for OIM Database
This creates the Listener for the OIM Database.
D.8.1 Installation Steps
[LIS.1] As oracle run netca in an open terminal window: su - oracle
oracle> cd /u01/oracle/product/10.1.3.1/Database/bin
oracle> ./netca
[LIS.2] On the Welcome screen:
Select-> Listener Configuration
Select->Next
[LIS.3] On the Listener Configuration screen:
Select-> Add
Select->Next
[LIS.4] On the Listener Name screen:
Listener Name-> OIM_LISTENER
Select->Next
[LIS.5] On the Select Protocols screen:
Select->Next to select the default TCP option
[LIS.6] On the TCP/IP Protocol screen: Select->Next to select the default 1521 port
[LIS.7] On the More Listeners screen:
Select->No
Select->Next
Listener Configuration complete is displayed.
[LIS.8] On the Completion Message screen:
Select->Next
[LIS.9] On the Welcome screen that is re-displayed:
Select->Finish
D.9 Create Database Instance for OIM Database
This creates the Database instance for the OIM Database.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 32 of 113
D.9.1 Installation Steps
[DBC.1] As oracle run dbca in an open terminal window: oracle> ./dbca
[DBC.2] On the Welcome screen:
Select->Next
[DBC.3] On the Step 1 screen: Select-> Create a Database
Select->Next
[DBC.4] On the Step 2 screen:
Select-> Custom Database
Select->Next
[DBC.5] On the Step 3 screen:
Enter Global Database Name-> [e.g. use domain in format oim.oim-test.com]
Enter SID->oim
Select->Next
[DBC.6] On the Step 4 screen:
Accept defaults: configure the Database with Enterprise Manager & Use
Database Control for Database Management; so just:
Select->Next
[DBC.7] On the Step 5 screen:
Enter the password, same ALL accounts->
Use a secure password: should be at least 6 characters and not be a dictionary
word, be alpha-numeric and have at least one number, capital letter;
optionally one special character from the following: $, _, #
Select->Next
[DBC.8] On the Step 6 screen: Accept default: File System; so just
Select->Next
[DBC.9] On the Step 7 screen:
Accept default: Use Database File Locations ...; so just
Select->Next
[DBC.10] On the Step 8 screen:
Accept default recovery option; so just
Select->Next
[DBC.11] On the Step 9 screen:
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 33 of 113
Accept default database content options; so just
Select->Next
[DBC.12] On the Step 10 screen:
Select->All Initialization Parameters button
Select->Show Advanced Parameters button
Scroll down to QUERY_REWRITE_INTEGRITY parameter and change the
value->trusted
Select->Close
Select->Next
[DBC.13] On the Step 11 Database Storage screen:
Select->Next
[DBC.14] On the Step 12 Creation options screen: Accept defaults
Select->Finish
The confirmation screen is displayed showing the database details to be
created.
Select->OK to complete
[DBC.15] On the Database Configuration Assistant screen:
Progress is displayed as the database is created.
This process may take some time.
[DBC.16] On the Database Configuration Assistant screen a Database
Creation completion message is displayed.
Select->Exit to finish
[DBC.17] In the terminal window as oracle, run the following command: oracle> lsnrctl start
D.10 Prepare Database Instance for OIM Installation
This prepares the Database instance for the OIM installation.
D.10.1 Installation Steps
[PDB.1] As oracle in the open terminal window: oracle> nano ~/.bash_profile
ensure the following is set:
export ORACLE_HOME=/u01/oracle/product/10.1.3.1/Database
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 34 of 113
export ODB_HOME=/u01/oracle/product/10.1.3.1/Database
export OAS_HOME=/u01/oracle/product/10.1.3.1/OracleAS_1
export JAVA_HOME=$OAS_HOME/jdk
export
PATH=$PATH:$OAS_HOME/jdk/bin:$OAS_HOME/opmn/bin;$ODB_HOME/bin:$JAV
A_HOME:$ODB_HOME/bin
Ctrl-O; Ctrl-X
oracle> su – oracle {ensure that envt variables are set}
oracle> cd
/space/src/oracle/OIM9101/installServer/Xellerate/db/oracle
oracle> cp prepare_xl_db.sh $ODB_HOME
oracle> cp xell_db_prepare.sh $ODB_HOME
oracle> cd $ODB_HOME
oracle> chmod 755 prepare_xl_db.sh
oracle> chmod 755 xell_db_prepare.sql
oracle> dos2unix prepare_xl_db.sh
oracle> groups
response should be:
oracle osdba dba
if dba is not present then
oracle> su – root
# usermod –a –G dba oracle
# exit
oracle> opmnctl stopall
oracle> lsnrctl stop
oracle> lsnrctl start
oracle> opmnctl startall
oracle> sqlplus / as sysdba
SQL> startup
SQL> exit
oracle> ./prepare_xl_db.sh
Respond as follows:
ORACLE_HOME:-> /u01/oracle/product/10.1.3.1/Database
ORACLE SID: oim
OIM user name: oim_manager
OIM user password: enter a secure password: should be at
least 6 characters and not be a dictionary word, be alpha-numeric
and have at least one number, capital letter; optionally one
special character from the following: $, _, #
Tablespace name: oim_data
The directory in which to store the data file:
/u01/oracle/product/10.1.3.1/Database/oradata/oim
The name of the data file: oim_data_01
The name of the temporary tablespace: temp
Prepare_xl_db.sh script then completes
D.11 Install Oracle Identity Manager
This installs the Oracle Identity Manager.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 35 of 113
D.11.1 Installation Steps
[OIM.1] As oracle in the open terminal window: oracle> su – oracle {to ensure that envt variables are set}
oracle> export PATH=$JAVA_HOME/bin:$PATH
oracle> cd /space/src/oracle/OIM9101/installServer/
oracle> ./install_server.sh
[OIM.2] The installer runs in text mode. For language, press <Enter> to chose the
default of “English”.
[OIM.3] The welcome screen is displayed, accept default [1] by pressing <Enter>.
[OIM.4] The Admin User information is displayed. Enter the password for the
“xelsysadm” account. Use a secure password: should be at least 6 characters
and not be a dictionary word, be alpha-numeric and have at least one number,
capital letter; optionally one special character from the following: $, _, #.
Enter confirmation of secure password entered when prompted “Confirm User
Password”.
Accept default [1] by pressing <Enter>.
Accept default [1] by pressing <Enter> again.
[OIM.5] Select the OIM application to install: “2” for Oracle Identity Manager.
Accept default [0] to finish, by pressing <Enter>.
[OIM.6] When prompted enter the following responses for database connectivity
information:
Destination Directory->/u01/oracle/product/9.1.0/OIMServer
Accept default [1] to continue to next setting by pressing <Enter>.
Enter “y” to allow creation of the OIM Server destination directory specified
above.
Accept default [0] to select Oracle Database and continue to next screen by
pressing <Enter>.
Accept default [1] to continue to next setting by pressing <Enter>.
Accept default [Database Hostname-> localhost] and continue to next screen
by pressing <Enter>
Accept default [Port Number-> 1521] and continue to next screen by pressing
<Enter>
Enter “oim” for Database SID and press <Enter>
Enter “oim_manager” for User Name and press <Enter>
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 36 of 113
Accept default of [1] to proceed to the next screen.
[OIM.7] Enter the following configuration options:
Select Authentication Mode-> Accept default [0] which chooses Oracle
Identity Manager Default Authentication by pressing <Enter>
Accept default of [1] to proceed to the next screen.
Select Application Server-> Select “2” to choose Oracle Application Server
and press <Enter>, then accept [0] by pressing <Enter> to finish.
Accept default of [1] to proceed to the next screen.
The Application Server is clustered-> Accept default of “No” by pressing
<Enter>
Accept default of [1] to proceed to the next screen.
Location for Application Server-> enter
/u01/oracle/product/10.1.3.1/OracleAS_1 and press <Enter>
Location for the JDK-> enter /u01/oracle/product/10.1.3.1/OracleAS_1/jdk and
press <Enter>
Accept default of [1] to proceed to the next screen.
oc4jadmin username-> Accept default [oc4jadmin] by pressing <Enter>
password-> enter password as entered at [OAS.8] and press <Enter>
RMI Port Number-> change to “12408” and press <Enter>
OC4J Instance name-> enter “oc4j_oim” and press <Enter>
Should the installer fail by taking you back to “oc4jadmin username” re-create
the oc4j instance and try the installer from there. Ensure that the RMI settings
for such a new oc4j instance are configured as per D.5 above.
[OIM.8] Accept default of [1] to proceed to installation of OIM, which completes with
no errors. This step may take some time.
D.12 Upgrade OIM from 9.1.0.1 to 9.1.0.2
This upgrades the OIM Server to 9.1.0.2.
D.12.1 Installation Steps
[UPG.1] As oracle in the terminal window run the following commands: oracle> su - oracle
oracle> cd
/space/src/oracle/Patches/p8484010/db/oracle/Scripts
oracle> ./oim_db_upg_9101_to_9102.sh
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 37 of 113
ensure that the ORACLE_HOME is for the database:
/u01/oracle/product/10.1.3.1/Database
Use “y” to accept “oim” as database SID
Use: /space/src/oracle/Patches/p8484010 as the Db Schema
update script directory
Use: oim_manager for Db Schema user name
Enter password for oim_manager
Upgrade runs without errors:
Starting Oracle Identity Maanger Db Schema Upgrade....
Oracle Identity Manager Db Schema Upgrade Successful....
Starting Oracle Identity Manager Db Stored Procedure
Upgrade....
Oracle Identity Manager Db Stored Procedure Upgrade
Successful....
Please see logs at:
/space/src/oracle/Patches/p8484010/db/oracle/log/oim_db_upg_9101_t
o_9102
oracle> export ORACLE_HOME=$ODB_HOME
oracle> sqlplus
username: oim_manager
password: <oim_manager password> (see [PDB.1]) screen displays “connected”
SQL>/
@/space/src/oracle/Patches/p8484010/db/oracle/Scripts/Oracle_Enabl
e_XACM.sql
script runs without errors
SQL>exit
oracle>
[UPG.8] Edit the LoadXML.sh file to set its variables as follows from the terminal
window: oracle> cd /space/src/oracle/Patches/p8484010/db/Metadata
oracle> nano LoadXML.sh
modify the following entries as follows:
# Set JAVA_HOME to point to java home
export JAVA_HOME=/u01/oracle/product/10.1.3.1/Database/jdk
# If you are running Oracle, uncomment the following lines and
# set the path of the directory containing Oracle JDBC Drivers.
export
ORACLE_DRIVER_DIR=/u01/oracle/product/10.1.3.1/Database/jdbc/l
ib
#Set the Oracle JDBC driver being used for the OIM version
export JDBC_DRIVER_VERSION=ojdbc14.jar
#Set the OIM home location for the installation
export XLHOME=/u01/oracle/product/9.1.0/OIMServer/xellerate
Ctrl-O
Ctrl-X
[UPG.9] Run the LoadXML.sh file and respond to the prompts as required.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 38 of 113
Oracle> ./LoadXML.sh jdbc:oracle:thin:@//oim.oim-test.com
oim_manager password (see [PDB.1])
[UPG.11] Update the FormMetaData.xml file in $OIM_HOME\xellerate\config as follows:
oracle> cd $OIM_HOME/xellerate/config
oracle> nano FormMetaData.xml
In the Form name="5" element of the FormMetaData.xml file, add the lines highlighted bold
font in the following code block: <Form name="5">
<!-- Resource Name -->
<AttributeReference editable="true" optional="false">-
502</AttributeReference>
<!-- Description -->
<AttributeReference editable="true" optional="false">-
503</AttributeReference>
<!--Type-->
<AttributeReference editable="true" optional="true">-
504</AttributeReference>
<!-- Target -->
<AttributeReference editable="true" optional="true">-
505</AttributeReference>
<!-- Auto Prepopulate -->
<AttributeReference editable="true" optional="true">-
506</AttributeReference>
<!-- Allow Multiple -->
<AttributeReference editable="true" optional="true">-
507</AttributeReference>
<!-- Allow All -->
<AttributeReference editable="true" optional="true">-
508</AttributeReference>
<!-- Auto Save -->
<AttributeReference editable="true" optional="true">-
509</AttributeReference>
<!-- Auto Launch -->
<AttributeReference editable="true" optional="true">-
510</AttributeReference>
<!-- Self Request Allowed -->
<AttributeReference editable="true" optional="true">-
511</AttributeReference>
<!-- Provision By Resource Admin Only -->
<AttributeReference editable="true" optional="true">-
512</AttributeReference>
<!-- Off-line Provisioning -->
<AttributeReference editable="true" optional="true">-
513</AttributeReference>
<!-- Trusted Source -->
<AttributeReference editable="true" optional="true">-
514</AttributeReference>
<!-- Sequence Recon -->
<AttributeReference editable="true" optional="true">-
515</AttributeReference>
</Form>
<!-- Resource Management section -->
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 39 of 113
<!-- List of attributes that can be displayed in the "Resource" Form -
->
<Attribute name="-501" variantType="long" datalength="50"
map="Objects.Key" />
<Attribute name="-502" label="taskdetails.label.resourcename"
displayComponentType="TextField" variantType="String"
dataLength="80"
map="Objects.Name" />
<Attribute name="-503"
label="UserGroupPolicies.label.columnHeading.policyDescription"
displayComponentType="TextField" variantType="String"
dataLength="256"
map="Structure Utility.Description" />
<Attribute name="-504" label="global.label.type"
displayComponentType="LookupField" variantType="long"
dataLength="256"
map="Objects.Type">
<ValidValues lookupCode="Lookup.Objects.Object Type"
selectionColumn="lkv_encoded"/>
</Attribute>
<Attribute name="-505" label="requestWizard.message.target"
displayComponentType="TextField" variantType="String"
dataLength="256"
map="Objects.Order For" />
<Attribute name="-506" label="global.label.autoprepopulate"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Auto Prepopulate" />
<Attribute name="-507"
label="dualListTest.message.resourceallowmultiple"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Allow Multiple" />
<Attribute name="-508" label="global.label.allowall"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Allow All" />
<Attribute name="-509" label="global.label.autosave"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Auto Save" />
<Attribute name="-510" label="global.label.autolaunch"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Auto Launch" />
<Attribute name="-511" label="global.label.selfrequestallowed"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Self Request Allowed" />
<Attribute name="-512"
label="global.label.provisionbyresourceadminonly"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Admin Only" />
<Attribute name="-513" label="global.label.offlineprovisioning"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Off-line Provisioning" />
<Attribute name="-514" label="global.label.trustedsource"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Trusted Source" />
<Attribute name="-515" label="global.label.sequencerecon"
displayComponentType="CheckBox" variantType="String" dataLength="1"
map="Objects.Sequence Recon" />
[UPG.10] Save and close the file: Ctrl-O, Ctrl-X.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 40 of 113
[UPG.11] Back up the xellerate directory as follows.
oracle> cd $OIM_HOME
oracle> mkdir ./xellerate_bu
oracle> cp –r ./xellerate ./xellerate_bu
[UPG.12] Perform the following commands:
oracle> cd xellerate
oracle> cp –r $PATCH/xellerate/lib/* ./lib/
oracle> cp –r $PATCH/xellerate/bin/* ./bin/
oracle> cp –r $PATCH/xellerate/webapp/* ./webapp/
oracle> cp –r $PATCH/xellerate/DDTemplates/* ./DDTemplates/
oracle> cp –r $PATCH/xellerate/ext/* ./ext
oracle> cp –r $PATCH/xellerate/customResources/*
./customResources/
oracle> cp –r $PATCH/xellerate/GTC/* ./GTC
oracle> cp –r $PATCH/xellerate/setup/oc4j-setup.xml ./setup/
D.13 Post OIM Installation Configuration
This configures the new OIM installation.
D.13.1 Configuration Steps
[PDB.1] As oracle in the open terminal window: Oracle> su – oracle {ensure that envt variables are set}
oracle> cd $OIM_HOME/config
oracle> cp xlconfig.xml xlconfig.orig.xml
oracle> $JAVA_HOME/jre/bin/keytool –storepasswd –new <new
secure password> -storepass xellerate –keystore .xlkeystore –
storetype JKS
The <new secure password> above, should be at least 8
characters and not be a dictionary word, be alpha-numeric and have
at least one number, capital letter and special character
oracle> $JAVA_HOME/jre/bin/keytool –keypasswd –alias xell -
keypass xellerate –new <new secure password> –keystore .xlkeystore
–storepass <value of <new secure password >>
oracle> $JAVA_HOME/jre/bin/keytool –storepasswd –new <new
secure password> -storepass xellerate –keystore .xldatabasekey –
storetype JCEKS
Clear the command history
oracle> history –c
oracle> nano ./xlconfig.xml
Find the following sections
<XLPKIProvider>, and then look for <KeyStore>
<XLPKIProvider>, and then look for <Keys>
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 41 of 113
<XLPKISymmetricProvider>, and then look for <KeyStore>
<RMSecurity>, and then look for <KeyStore>
<RMSecurity>, and then look for <TrustStore>
In each <Password> tag under the above sections, make the
following amendment:
<Password encrypted=”false”>new secure password<\Password>
The sections content should be like this (note indentation
will be different):
<Security>
<XLPKIProvider>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="false">new_password</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
<Keys>
<PrivateKey>
<Alias>xell</Alias>
<Password encrypted="false">new_password</Password>
</PrivateKey>
</Keys>
...
<XLPKISymmetricProvider>
<KeyStore>
<Location>.xldatabasekey</Location>
<Password encrypted="false">new_password</Password>
<Type>JCEKS</Type>
<Provider>com.sun.crypto.provider.SunJCE</Provider>
</KeyStore>
...
<RMSecurity>
<KeyStore>
<Location>.xlkeystore</Location>
<Password encrypted="false">new_password</Password>
<Type>JKS</Type>
<Provider>sun.security.provider.Sun</Provider>
</KeyStore>
Ctrl-O
Ctrl-X
oracle> export ORACLE_HOME=$OAS_HOME
oracle> opmnctl stopall
oracle> opmnctl startall
if all has worked will and no debugging is required, delete
xlconfig.orig.xml
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 42 of 113
oracle> rm xlconfig.orig.xml
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 43 of 113
Annex E Install Identity Management & Metadata Repository on OID Server
E.1 Install the Operating System
Perform a standard Red Hat Enterprise Linux Advanced Server 4 update 5
installation bearing in mind the following settings:
Use automatic partitioning
Configure the network configured as required, e.g. eth0
172.20.16.211/255.255.240.0
Set the firewall to disabled (Note this will be enabled)
Set the SELinux setting to ‘Warn’
Customise software packages to be installed:
development->development tools
system->system tools; plus systat.
Graphical internet->unselect all except for firefox
For the user account, create a user called oracle.
Also create a user called orainfra for the OID install.
E.2 Patch the Operating System
Apply the latest Operating System security patches available via the Red Hat
network.
E.3 Configure the Operating System
[OS.1] Load up a Terminal and as root perform some system configuration:
Setup the host file if DNS is not being used by adding the following lines with
IP addresses and hostnames to match the infrastructures conventions, e.g.:
172.20.16.139 oim.oim-test.com oim
172.20.18.210 oid.sme1.com oid
172.20.18.211 odb.sme1.com odb
[OS.2] Create the required operating system groups as root:
# groupadd oinstall
# groupadd dba
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 44 of 113
[OS.3] Add orainfra to the oinstall group:
root> usermod -g oinstall –G dba orainfra
[OS.4] Create the directory /u01 to install the oracle software under and set the
ownership:
root> mkdir –p /u01/orainfra
root> chown –R oracle:oinstall /u01
root> chmod 770 /u01/oracle
[OS.5] Setup kernel parameters, check parameters below and add following as
required to /etc/sysctl.conf:
# OID ECG Changes
kernel.msgmnb=65535
kernel.msgmni=2878
kernel.msgmax=8192
kernel.shmall=2097152
kernel.shmmax=2147483648
kernel.shmmni=4096
kernel.sem=256 32000 100 142
fs.file-max=131072
net.ipv4.ip_local_port_range=1024 65000
net.core.rmem_default=262144
net.core.rmem_max=262144
net.core.wmem_default=262144
net.core.wmem_max=262144
[OS.6] Load new kernel parameters:
root> sysctl –p
[OS.7] Create the directories for the installation media:
oracle> mkdir –p /space/src/orainfra/
oracle> cd /space/src/orainfra
oracle> mkdir –p oid
oracle> chown –R oracle:oinstall /space/src/orainfra/*
[OS.8] Login to Oracle support and download
“as_linux_x86_oim_oif_101401_disk1.cpio.” and
“as_linux_x86_oim_oif_101401_disk2.cpio.”
[OS.9] Use “cpio –idm < filename.cpio” on the installation media obtained above
for OID while in the directory created above.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 45 of 113
E.4 Install the Identity Management & Metadata Repository
This step installs an instance of Oracle Internet Directory which will be used as
a trusted reconciliation source for OIM. The instructions should be run on the
Oracle Internet Directory server used in the evaluation.
E.4.1 Installation Steps
[IMW.1] As orainfra run the Identity Management Installer: su - orainfra
oracle> /media/cdrom/runInstaller
[IMW.2] On the Welcome screen:
Select-> Next
[OUI.1] On the Specify Inventory Directory and Credentials
screen:
Change the path to /u01/Orainventory
Specify the Operating System group name as oinstall
Select->Next
[OUI.2] A pop up screen appears containing instructions to run a script as a root user in
/u01/oraInventory. Using the open terminal type: oracle> su - root
# cd /u01/oracle/inventory
# ./orainstRoot.sh
# cd /u01/
# chown –R orainfra:oinstall OraInventory
When this has completed successfully, return to the pop up screen and
Select->Continue
[IMW.3] On the Specify file locations screen:
Destination Name -> infra_1
Leave source as default
Path -> /u01/app/oracle/product/10.1.4/infra_1
Select-> Next
[IMW.4] On the Specify Product to Install screen:
Check-> Oracle Application Server Infrastructure 10g
Select-> Next
[IMW.5] On the Installation Type screen:
Select-> Next (default “Identity Management and Metadata Repository” is
checked).
[IMW.6] On the Product Specific Prerequisite Checks screen
All should pass, Select-> Next
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 46 of 113
Warning pop-up may be displayed: review memory allocated.
Click-> OK
[IMW.7] On the Confirm Pre-Installation Requirements screen: Check-> Root Privileges;
Select-> Next
[IMW.8] On the Select Configuration Options screen:
Un-Check-> <all>
Check-> Oracle Internet Directory
Select-> Next
[IMW.9] On the Specify Port Configuration Options screen:
Keep defaults (automatic)
Select->Next
[IMW.10] On the Specify Namespace screen:
Select-> Next (default should be correct – domain name of server, e.g.
dc=sme1,dc=com).
[IMW.11] On the Specify Database Configuration options screen:
Global Database Name-> infra1db.<domain-name> (e.g.
infra1db.web1.sme1.com)
SID-> infra1db
<defaults for rest (database file loc …/oradata/)>
Select-> Next
[IMW.12] On the Specify Database Schema Passwords screen: Enter different and secure passwords for each DB administration role.
Enter Password-> <secure password: should be at least 6 characters
and not be a dictionary word, be alpha-numeric and have at least one
number, capital letter; optionally one special character from the
following: $, _, #>
Confirm Password-> As previous
Select-> Next
[IMW.13] On the Specify Instance Name and ias_admin password
screen: Instance Name-> infra_1
Ias_admin password-> <secure password: should be at least 6 characters and
not be a dictionary word, be alpha-numeric and have at least one number,
capital letter; optionally one special character from the following: $, _, #>
Confirm password-> As previous
Select-> Next
[IMW.14] On the Privileged Operating System Groups screen:
Database Administrator-> osdba
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 47 of 113
Database Operator-> osoper
Select-> Next
[IMW.15] On the Summary screen:
Select -> Install
Installation is performed, change media as if/when requested
[IMW.16] On the Setup Privileges (popup) screen:
As root, as prompted run:
/u01/app/orainfra/product/10.1.4/infra_1/root.sh
Accept default bin path (/usr/local/bin)
Back in OUI, Select-> OK
[IMW.17] On the Configuration Assistants screen:
Should all run without error; this may take some time to complete.
Note down the URL of the Oracle Enterprise Manager 10g Application Server
Control Console: e.g. http://oid.sme1.com:1156/
[IMW.18] On the End Of Installation screen:
Select-> Exit
E.4.2 Set up orainfra environmental variables:
orainfra> nano ~/.bash_profile
Append following lines (this is three lines, beware of wrapping): export ORACLE_SID=infra1db
export ORACLE_HOME=/u01/app/orainfra/product/10.1.4/infra_1
export
PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$ORACLE_HOME/opmn/
bin
E.5 Configure the OID Infrastructure
E.5.1 Perform Oracle Database Lockdown
The following steps are an example of how to implement some of lockdown
for the database with configuration parameters from this install, although
[DBECD, 4] should be referenced and all steps should be followed.
[CIM.1] Create the file profileb.sql with the following contents:
orainfra> nano profileb.sql
CREATE OR REPLACE FUNCTION profileb
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 48 of 113
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
BEGIN
IF password = username THEN
raise_application_error(-20001, 'Password same as
user');
END IF;
IF length(password) < 6 THEN
raise_application_error(-20002, 'Password length less
than 6');
END IF;
RETURN(TRUE);
END;
/
Ctrl-O (write Out file)
Ctrl-X (exit)
SQL > connect / as sysdba;
SQL> @profileb.sql
SQL> alter profile default limit
2 failed_login_attempts 3
3 password_lock_time 1/1440
4 password_verify_function profileb;
SQL > create pfile from spfile;
SQL > shutdown immediate;
SQL> quit
orainfra> cd $ORACLE_HOME/dbs/
[CIM.2] Add the following to the iniinfra1db.ora file:
Orainfra> nano initinfra1db.ora
*.os_authent_prefix=''
*.o7_dictionary_accessibility=FALSE
*.sql92_security=TRUE
*.audit_trail='DB'
*.optimizer_mode='all_rows'
Ctrl-O (write Out file)
Ctrl-X (exit
orainfra> mv spfileinfra1db.ora spfileinfra1db.ora.bkp
orainfra> sqlplus /nolog
SQL> connect / as sysdba;
SQL> startup;
SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql
SQL> audit session;
SQL> create spfile from
pfile='$ORACLE_HOME/dbs/initinfra1db.ora';
SQL> audit insert, update, delete on sys.aud$ by access;
SQL> quit
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 49 of 113
E.5.2 Perform Oracle Internet Directory Lockdown
Use the steps in [ECGOID, Section 4] as reference.
The following steps show examples of how to implement these steps
where parameters are involved from earlier installation steps in this ECG.
Care should be taken when using [OIDECD, Section 4] to ensure
consistency and applicability in the context of your specific configuration
and requirements.
orainfra> opmnctl startall
orainfra> oidadmin &
If prompted to add a server, type: ‘localhost’ and leave the port as 389
Login with the username: ‘cn=orcladmin’ and the password set for it
during installation at [IMW.9].
[DI.POST-1] The directory administrator must ensure that Access Control settings for
the entries in the directory are such that anonymous users can only access
material which the administrator deems to be “public information” (for
example names of administrators and their contact telephone numbers). An
example of how Access Control settings were applied in the Evaluated
Configuration by using Oracle Directory Manager is as follows:
Expand Entry Management.
Expand cn=OracleContext.
Select cn=Products.
Select the Subtree Access tab.
Under the Content Access Items section click the Create button.
Select the Attribute tab.
Scroll to and select authPassword.
Select the Access Rights tab.
Select Deny for all except ‘selfwrite’ and click the OK button.
Click Apply.
[DI.POST-3] Create and protect the password file:
orainfra> cd ~
orainfra> touch ldap-passwords.ldif
orainfra> chmod 700 ldap-passwords.ldif
Open the file and paste in the following and making the relevant changes
to passwords and noting them down offline:
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 50 of 113
dn:
changetype: modify
replace: orclgupassword
orclgupassword: <long hard to guess password>
dn:
changetype: modify
replace: orclprpassword
orclprpassword: <different long hard to guess password>
ctrl-o ctrl-x
orainfra> ldapmodify –x –D cn=orcladmin –W –f ldap-
passwords.ldif
Ensure the passwords are noted down before performing this
next step:
orainfra> shred ldap-passwords.ldif
[DI.POST-4] Create a file called ecg-password-policy.ldif and paste the
following into it editing the relevant sections:
orainfra> nano ecg-password-policy.ldif
dn: cn=ECDPwdPolicy,cn=pwdPolicies,cn=Common,cn=Products,
cn=OracleContext
changetype: add
cn: ECDPwdPolicy
pwdMinLength: 6
orclpwdAlphaNumeric: 0
pwdLockOut: 0
pwdMaxFailure: 10
pwdLockOutDuration: 900
orclpwdPolicyEnable: 1
objectclass: top
objectclass: pwdpolicy
dn: cn=Users,dc=<COMPANY NAME>,dc=com
changetype: modify
replace: pwdpolicysubentry
pwdpolicysubentry: cn=ECDPwdPolicy,cn=pwdPolicies,
cn=Common,cn=Products,cn=OracleContext
Ctrl-O
Ctrl-X
orainfra> ldapmodify –x –D cn=orcladmin –W –f ecg-password-
policy.ldif
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 51 of 113
[DI.POST-5a] The directory administrator must ensure that Access Control settings for
the super user password attribute of the DSE entry (orclSuPassword)
do not allow users other than the super user to read the value of this
attribute.
To do this the directory administrator must edit the default ACP to deny
users access to the orclsupassword attribute. Using Oracle Directory
Manager this can be done by navigating to the Access Control
Management Panel, navigating to Default ACP, then creating a new ACI
for attribute orclSuPassword for which all users are denied the read,
compare, search and modify capabilities.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 52 of 113
Annex F Oracle Database Server
F.1 Install the Operating System
Perform a standard Red Hat Enterprise Linux Advanced Server 4 update 5
installation bearing in mind the following settings:
Use automatic partitioning
Configure the network configured as required, e.g. eth0
172.20.16.211/255.255.240.0
Set the firewall to disabled (Note this will be enabled)
Set the SELinux setting to ‘Warn’
Customise software packages to be installed:
development->development tools
system->system tools; plus systat.
Graphical internet->unselect all except for firefox
For the user account, create a user called oracle.
Create a sub-user called oradb for database installation.
F.2 Patch the Operating System
Apply the latest Operating System security patches available via the Red Hat
network.
F.3 Configure the Operating System
[DOS.1] Load up a Terminal and as root perform some system configuration:
Setup the host file if DNS is not being used by adding the following lines with
IP addresses and hostnames to match the infrastructures conventions, e.g.:
172.20.16.139 oim.oim-test.com oim
172.20.18.210 oid.sme1.com oid
172.20.18.211 odb.sme1.com odb
[DOS.2] Create the required operating system groups as root:
# groupadd oinstall
# groupadd dba
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 53 of 113
[DOS.3] Create oradb user for database install:
# useradd -m -s /bin/bash -g oinstall –G dba oradb
# passwd oradb
Give oradb password a secure value: should be at least 8 characters and not
be a dictionary word, be alpha-numeric and have at least one number, capital
letter and special character
[DOS.4] Create the directory /u01 to install the oracle software under and set the
ownership:
root> mkdir –p /u01/app/oradb
root> chown –R oradb:oinstall /u01
root> chmod 770 /u01/app/oradb
[DOS.5] Setup kernel parameters, check parameters below and add following as
required to /etc/sysctl.conf:
# ODB ECG Changes
kernel.msgmnb=65535
kernel.msgmni=2878
kernel.msgmax=8192
kernel.shmall=2097152
kernel.shmmax=2147483648
kernel.shmmni=4096
kernel.sem=256 32000 100 142
fs.file-max=131072
net.ipv4.ip_local_port_range=1024 65000
net.core.rmem_default=262144
net.core.rmem_max=262144
net.core.wmem_default=262144
net.core.wmem_max=262144
[DOS.6] Load new kernel parameters:
# sysctl –p
# exit
[DOS.7] Create the directories for the installation media:
oracle> mkdir –p /space/src/oracle/
oracle> cd /space/src/oracle
oracle> mkdir –p Database
oracle> chown –R oradb:oinstall /space/src/oracle/*
[DOS.8] Login to Oracle support and download 10201_database_linux32.zip.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 54 of 113
[DOS.9] Unzip the installation media obtained above for Database into the directory
created above.
F.4 Install the Oracle Database Server
This installs an Oracle Database Server instance for use in testing OIM for the
evaluated configuration.
F.4.1 Installation Steps
[ODB.1] As oradb run the database 10.2.0.1.0 Installer: su - oradb
oracle> cd /space/src/oracle/Database/database
oracle> ./runInstaller
[OUI.1] On the Specify Inventory Directory and Credentials
screen:
Change the path to /u01/Orainventory
Specify the Operating System group name as oinstall
Select->Next
[OUI.2] A pop up screen appears containing instructions to run a script as a root user in
/u01/oraInventory. Using the open terminal type: oradb> su - root
# cd /u01/oracle/inventory
# ./orainstRoot.sh
# cd /u01/
# chown –R oradb:oinstall OraInventory
When this has completed successfully, return to the pop up screen and
Select->Continue
[ODB.2] On the Select Installation Method screen:
The entries on this screen should be filled out as follows:
Oracle Home Installation->/u01/app/oradb/product/10.2.0/db
Installation Type-> Enterprise Edition 1.3GB
UNIX DBA Group-> oinstall
Create Starter Database (additional 72M)->checked
Global Database Name: odb
Database Password: enter a secure password: should be at least 6 characters
and not be a dictionary word, be alpha-numeric and have at least one number,
capital letter; optionally one special character from the following: $, _, #
Confirm Password: as previous
Select “Advanced Installation”
Select->Next
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 55 of 113
[ODB.3] On the Select Installation Type screen:
Select->Enterprise Edition (1.26GB)
Select->Next
[ODB.4] On the Specify Home Details screen enter:
Name->odb
Path->/u01/app/oradb/product/10.2.0/db
Select->Next
[ODB.5] On the Product Specific prerequisite Checks screen all
checks should succeed. On completion:
Select->Next
[ODB.6] On the Select Configuration Option screen:
Select->Install database Software only
Select->Next
[ODB.7] On the Privilege Operating System Group screen, ensure that the
entries are as follows:
Database Administrator Group->oinstall
Database Operator Group->oinstall
Select->Next
[ODB.8] On the Summary screen
Select->Install
[ODB.9] On the Installation screen
The product is installed. This will take some time. Progress is marked by a
status bar showing % complete.
[ODB.10] Part way through a pop up screen appears containing instructions to run a
configuration script as a root user in
/u01/app/oradb/product/10.2.0/db/.
Using the open terminal type: # cd /u01/app/oradb/product/10.2.0/db
# ./root.sh
When this has completed successfully, return to the pop up screen and
Select->OK
The installation completes.
[ODB.11] On the End Of Installation screen:
Select->Exit
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 56 of 113
F.4.2 Set up odb environmental variables:
oradb> nano ~/.bash_profile
Append following lines (this is three lines, beware of wrapping): export ORACLE_SID=odb
export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db
export
PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$ORACLE_HOME/opmn/
bin
Ctrl O
Ctrl X
F.5 Create Listener for odb Database
This creates the Listener for the OIM Database.
F.5.1 Installation Steps
[ODB.12] As oracle run netca in an open terminal window: su - oracle
oradb> cd /u01/app/oradb/product/10.2.0/db/bin
oradb> ./netca
[ODB.13] On the Welcome screen:
Select-> Listener Configuration
Select->Next
[ODB.14] On the Listener Configuration screen:
Select-> Add
Select->Next
[ODB.15] On the Listener Name screen: Listener Name-> OIM_LISTENER
Select->Next
[ODB.16] On the Select Protocols screen:
Select->Next to select the default TCP option
[ODB.17] On the TCP/IP Protocol screen:
Select->Next to select the default 1521 port
[ODB.18] On the More Listeners screen:
Select->No
Select->Next
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 57 of 113
Listener Configuration complete is displayed.
[ODB.19] On the Completion Message screen:
Select->Next
[ODB.20] On the Welcome screen that is re-displayed:
Select->Finish
F.6 Create a Database Instance
This creates the Database instance for the OIM Database.
F.6.1 Installation Steps
[ODB.21] As oracle run dbca in an open terminal window: oradb> ./dbca
[ODB.22] On the Welcome screen:
Select->Next
[DBC.23] On the Step 1 screen:
Select-> Create a Database
Select->Next
[ODB.24] On the Step 2 screen:
Select-> Custom Database
Select->Next
[ODB.25] On the Step 3 screen: Enter Global Database Name-> [e.g. use domain such as oim.oim-test.com]
Enter SID->odb
Select->Next
[ODB.26] On the Step 4 screen:
Accept defaults: configure the Database with Enterprise Manager & Use
Database Control for Database Management; so just:
Select->Next
[ODB.27] On the Step 5 screen:
Enter the password, same ALL accounts->
Use a secure password: should be at least 6 characters and not be a dictionary
word, be alpha-numeric and have at least one number, capital letter;
optionally one special character from the following: $, _, #
Select->Next
[ODB.28] On the Step 6 screen:
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 58 of 113
Accept default: File System; so just
Select->Next
[ODB.29] On the Step 7 screen: Accept default: Use Database File Locations ...; so just
Select->Next
[ODB.30] On the Step 8 screen:
Accept default recovery option; so just
Select->Next
[ODB.31] On the Step 9 screen:
Accept default database content options; so just
Select->Next
[ODB.32] On the Step 10 screen:
Select->All Initialization Parameters button
Select->Show Advanced Parameters button
Scroll down to QUERY_REWRITE_INTEGRITY parameter and change the
value->trusted
Select->Close
Select->Next
[ODB.33] On the Step 11 Database Storage screen:
Select->Next
[ODB.34] On the Step 12 Creation options screen: Accept defaults
Select->Finish
The confirmation screen is displayed showing the database details to be
created.
Select->OK to complete
[ODB.35] On the Database Configuration Assistant screen:
Progress is displayed as the database is created.
This process may take some time.
[ODB.36] On the Database Configuration Assistant screen a Database
Creation completion message is displayed.
Select->Exit to finish
[ODB.37] Use the steps in section B.2 to start the odb database.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 59 of 113
F.7 Secure Database
F.7.1 Perform Oracle Database Lockdown
The following steps are an example of how to implement some of lockdown
for the database with configuration parameters from this install, although
[ECGDB, 4] should be referenced and all steps should be followed.
[CIM.1] Create the file profileb.sql with the following contents:
oradb> nano profileb.sql
CREATE OR REPLACE FUNCTION profileb
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
BEGIN
IF password = username THEN
raise_application_error(-20001, 'Password same as
user');
END IF;
IF length(password) < 6 THEN
raise_application_error(-20002, 'Password length less
than 6');
END IF;
RETURN(TRUE);
END;
/
Ctrl-O (write Out file)
Ctrl-X (exit)
SQL > connect / as sysdba;
SQL> @profileb.sql
SQL> alter profile default limit
2 failed_login_attempts 3
3 password_lock_time 1/1440
4 password_verify_function profileb;
SQL > create pfile from spfile;
SQL > shutdown immediate;
SQL> quit
oradb> cd $ORACLE_HOME/dbs/
[CIM.2] Add the following to the iniinfra1db.ora file:
oradb> nano initdw.ora
*.os_authent_prefix=''
*.o7_dictionary_accessibility=FALSE
*.sql92_security=TRUE
*.audit_trail='DB'
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 60 of 113
*.optimizer_mode='all_rows'
Ctrl-O (write Out file)
Ctrl-X (exit
oradb> mv spfileodb.ora spfileodb.ora.bkp
oradb> sqlplus /nolog
SQL> connect / as sysdba;
SQL> startup;
SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql
SQL> audit session;
SQL> create spfile from
pfile='$ORACLE_HOME/dbs/initodb.ora';
SQL> audit insert, update, delete on sys.aud$ by access;
SQL> quit
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 61 of 113
Annex G Recommendations for OIM Secure Audit Administration
Log file types and location
The Oracle Identity Manager log files, are maintained in the
$OIM_HOME/xellerate/logs directory and provide useful information
for managing and monitoring server instances. The log files include:
xel.log contains the today’s log records for the Oracle Identity Manager
server.
xel.log.YYYY-MM-DD contains previous logs organised by date.
The Oracle Connector logs for both the Database and OID are maintained in
the $OC4J_HOME/opmn/logs/default_group~home~default
_group.1.log
Examining the Log files
To examine either of these directly logs use:
$ cd <relevant directory from above>
$ nano <relevant log file>
Use <Ctrl-X> to quit nano.
For a more user friendly audit experience use the features in the Admin and
User Console documented in [AUCG, 14]. Additional detail and advanced
features are documented in [ADG].
Enabling Audit
During operation of the TOE, Audit must be enabled. This is also the default
setting for the TOE after installation. The administrator is required to not
change this.
The file at:
$OIM_HOME/xellerate/config/log.properties
Is used to enable and disable auditing.
Every entry in the log.properties that begins log4j.logger is used
to specify an audit category for OIM. Setting all of these to =OFF will switch
auditing off.
Changes to the log.properties file only come into effect after a re-start
of OIM (i.e. opmnctl stopall and opmnctl start all as the oracle
user from a terminal window on the OIM Server).
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 62 of 113
Configuring Audit
Audit can only be configured via the
$OIM_HOME/xellerate/config/log.properties file.
The default permissions on this file are owner read write only
(-rw-------). These permissions should not be changed.
The level of logging can be set to: OFF, debug, info, warn, error
and fatal. debug is the highest level and fatal the lowest.
debug = logs all operations
info = logs some operational information, warnings, errors and fatal
errors.
warn = logs warnings, errors, and fatal errors.
errors = logs errors and fatal errors.
fatal = logs fatal errors only.
For the TOE in its evaluated configuration the log.properties should
be set as follows:
#
# This file is to configure the logs that xellerate produces via
log4j.
# this file is used by Websphere and Weblogic. If JBoss is used
# to host Xellerate, the file that needs to be modified is jboss-
log4j.xml under
# the JBoss directory: <jboss_home>/server/default/conf. Since
# this file is used for the whole JBoss log configuration, a
Xellerate
# tag is used to define the level to log:
#
# <category name="XELLERATE">
# <priority value="WARN"/>
# </category>
#
# That is equivalent to the line below:
# log4j.logger.XELLERATE=WARN
#
# If specific categories need to be logged as in the case of the
commented
# categories below, a new category can be added after the
"XELLERATE" category
# in the jboss-log4j.xml file for JBoss. For instance
"XELLERATE.ACCOUNTMANAGEMENT"
# as below, would be like the following in jboss-log4j.xml:
#
# <category name="XELLERATE.ACCOUNTMANAGEMENT">
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 63 of 113
# <priority value="DEBUG"/>
# </category>
#
# In the case of Weblogic or Weblogic, uncommenting the category
below would
# be enough.
# Any changes to the log configuration need to be follow by a
restart of the
# Application Server.
#
# For more information about log4j, please refer to
http://logging.apache.org/log4j/docs/
#
# The below configuration sets the output of the log to be to the
# standard output. In the case of JBoss it is to the console and
# for Websphere and Weblogic to the log file.
# Commentted below is "logfile" in addition to stdout. If you want
# the output to be sent to a specific file un-comment the line below
# and comment the one without the "logfile" entry.
log4j.rootLogger=WARN,stdout,logfile
#log4j.rootLogger=WARN,stdout
#
# Console Appender
# The configuration below is to configure the way the log will be
formatted
# when it is output to the console.
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%5p,%d{dd MMM yyyy
HH:mm:ss,SSS},[%c],%m%n
#
# File Appender
# Uncomment if you want to output to a file and change the file name
and path
#
log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
log4j.appender.logfile.File=/u01/oracle/product/9.1.0/OIMServer/xell
erate/logs/xel.log
log4j.appender.logfile.MaxBackupIndex=20
log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
#
# Below are the different categories supported by Xellerate
# commented out. The Root Category, .XELLERATE, is not commented
# out and it's set to WARN. This means that every category is set
# to WARN level unless specifically changed. Each category can be
# uncommented and the level can be changed individually while
# the root is still on WARN (for all other categories with log level
# not defined).
# The following are the accepted levels:
#
# DEBUG - The DEBUG Level designates fine-grained informational
events
# that are most useful to debug an application.
# INFO - The INFO level designates informational messages that
highlight
# the progress of the application at coarse-grained level.
# WARN - The WARN level designates potentially harmful situations.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 64 of 113
# ERROR - The ERROR level designates error events that might still
allow
# the application to continue running.
# FATAL - The FATAL level designates very severe error events that
will
# presumably lead the application to abort.
# Special Levels:
# ALL - The ALL Level has the lowest possible rank and is intended
to turn on all logging.
# OFF - The OFF Level has the highest possible rank and is
intended to turn off logging.
#################################
# XELLERATE #
#################################
log4j.logger.XELLERATE=DEBUG
# We would like to have DDM operations at the DEBUG level
# as we may not have a second chance to perform the same
# operation if something fails
log4j.logger.XELLERATE.DDM=DEBUG
log4j.logger.XELLERATE.ACCOUNTMANAGEMENT=DEBUG
log4j.logger.XELLERATE.SERVER=DEBUG
#log4j.logger.XELLERATE.RESOURCEMANAGEMENT=DEBUG
#log4j.logger.XELLERATE.REQUESTS=DEBUG
#log4j.logger.XELLERATE.WORKFLOW=DEBUG
log4j.logger.XELLERATE.WEBAPP=DEBUG
#log4j.logger.XELLERATE.SCHEDULER=DEBUG
#log4j.logger.XELLERATE.SCHEDULER.Task=DEBUG
log4j.logger.XELLERATE.ADAPTERS=DEBUG
log4j.logger.XELLERATE.JAVACLIENT=DEBUG
log4j.logger.XELLERATE.POLICIES=DEBUG
#log4j.logger.XELLERATE.RULES=DEBUG
log4j.logger.XELLERATE.DATABASE=DEBUG
#log4j.logger.XELLERATE.APIS=DEBUG
log4j.logger.XELLERATE.OBJECTMANAGEMENT=DEBUG
log4j.logger.XELLERATE.JMS=DEBUG
#log4j.logger.XELLERATE.REMOTEMANAGER=DEBUG
#log4j.logger.XELLERATE.CACHEMANAGEMENT=DEBUG
log4j.logger.XELLERATE.ATTESTATION=DEBUG
#log4j.logger.XELLERATE.AUDITOR=DEBUG
#log4j.logger.XELLERATE.PERFORMANCE=DEBUG
#
# Connector Loggin
#
log4j.logger.Adapter.ORACLE=DEBUG
log4j.logger.XL_INTG.OID=DEBUG
log4j.logger.OIMCP.DUTC=DEBUG
#################################
# SPML Webservice #
#################################
log4j.logger.SPMLWS=WARN
log4j.logger.SPMLWS.OIMEvent=DEBUG
#################################
# Nexaweb #
#################################
log4j.logger.com.nexaweb.server=WARN
#################################
# OSCache #
#################################
log4j.logger.com.opensymphony.oscache=ERROR
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 65 of 113
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 66 of 113
Administrator Audit Tasks for the TOE
The administrator needs use the log files to perform the following tasks at
regular intervals to maintain the security of the TOE:
Check the xel.log or xel.log.YYYY-MM-DD files looking for
potential or actual attacks against OIM
Monitor the number of log files. Archive and purge the log files every 14
days as required. At 20 days, the logs from day 21+ become liable for
deletion.
The administrator is required to not change OIM’s log.properties file
(see previous section for name and location), except to increase the audit
granularity from that identified above.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 67 of 113
Annex H Perform Hardening of the TOE and Environment
H.1 Administration Client Configuration
H.1.1 IE Configuration Steps
[AC.1] On the Windows Client computer, open IE7.
Click on Tools->Internet Options->Connections tab->LAN Settings Button
[AC.2] Uncheck “Automatically detect settings” and “Use automatic configuration
script” check boxes. If a proxy server is in use, ensure that “Bypass proxy
server for local addresses” is checked. Note, if you wish to access the internet
from your client computer IE, you will need to check these boxes. It is not
possible to have the internet and the local network accessible at the same time
through IE (even with two Ethernet connections).
[AC.3] Click OK. You should now be back at “Internet Options dialog box”.
[AC.4] Click->Security tab->Local Intranet icon->Sites button->Advanced button.
[AC.5] Enter the following website to the zone: OIM host.OIM domain.com
(e.g. evaluators should use “oim.oim-test.com”). Click Add.
[AC.6] Click Close. On the “Local Intranet” dialog, ensure that the first checkbox is
unchecked, and the following three checkboxes are checked.
[AC.7] Click OK.
[AC.8] Click OK. You should now be looking at the browser window.
[AC.9] Add the following line into the C:\WINDOWS\system32\drivers\etc\hosts file
using notepad or similar; it should be added after the localhosts entry:
nnn.nnn.nnn.nnn <oim host>.<oim domain>.com oim
Where nnn.nnn.nnn.nnn is the IP address of your OIM server.
[AC.10] Make sure the network cable for OIM is plugged into the client computer
Ethernet port. The need to unplug the internet can be overcome by using a USB
Ethernet Adapter, or an additional Ethernet port (if provided) on the client
computer.
[AC.11] For first time use, enter http://oim.oim-test.com:7777/xlWebApp/ and press
<ENTER>. After SSL has been configured on the OIM server, use:
https://oim.oim-test.com:4446/xlWebApp/
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 68 of 113
[AC.12] The OIM application logon screen is displayed in the browser.
H.2 User Client Configuration
The user client IE7 browser is to be configured as specified in section H.1.1
above for the Admin Client. The OIM Design Console should not be installed
on User Client machines.
H.3 Configure SSL for User and Admin Console
Goal: to specify the steps needed to configure Oracle HTTP Server (OHS) to
use the Secure Sockets Layer (SSL) when installed with Oracle Application
Server 10g R2. This means that the OIM User and Admin Console will work
only via an SSL session through OHS.
STEP 1: Configure Certificates in Oracle Wallet Manager
[SSL.1] Create PKCS #12 wallets using Oracle Wallet Manager (OWM) on OIM
Server (oim.oim-test.com). Open a new terminal and type the following
commands:
# su - oracle
$ mkdir -p ~/oim-wallets/oim_auc_ssl
$ chmod -R 700 oim-wallets
$ owm &
Create a new wallet by clicking Wallet > New ...
When prompted whether you want to create a wallet press 'no'
Set a secure password (should be at least 6 characters and not be a dictionary
word, be alpha-numeric and have at least one number, capital letter;
optionally one special character from the following: $, _, #) for the wallet and
the wallet type should be set to 'Standard'.
You will then be asked if you want to create a certificate request, select Yes
Enter the following details, tailoring it where appropriate:
Common Name – OIM AUC SSL
Organization – oim-test
Locality/City - <as required>
Country – <as required>
Key size 2048
Click Wallet > Save As.. and save in /home/oim-wallets/oim_auc_ssl
Highlight 'Certificate:[Requested]' in the tree and
Click Operations > Export Certificate Request
Save the file as ‘oim.oim-test.com-ssl.csr’ in the same folder
Click Wallet > Close
[SSL.2] Submit the Certificates for Signing:
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 69 of 113
Submit oim.oim-test.com.ssl.csr to a trusted Certificate Authority
for signing.
When the CA returns the certificates, also obtain a copy of the CA’s public key
in .pem format and the CA’s certification revocation list in .crl format.
Warning: the CA’s certification revocation list should be downloaded on a
regular basis, so that any revoked certificates are refused access to the TOE.
The .crl file should be copied into /home/oracle/oim_wallets/oim_auc_ssl
The steps under [SSL.4] explain how to activate this list for the TOE.
Note: it may be necessary to change the permissions and groups of the
imported files when copied back on to the OIM Server.
[SSL.3] Importing the signed certificates into the wallets:
Open Oracle Wallet Manager again :
# owm &
and use the following commands from the Wallet Manager prompt – Wallet > :
Wallet > open /home/oracle/oim-wallets/oim_auc_ssl
When prompted enter the password
Click Operations > Import Trusted Certificate and select the
CA’s .pem file
Click Operations > Import User Certificate and paste the
base64 part of the .cert file from the CA
Wallet > Save
Select Wallet -> AutoLogin so that this is checked
Wallet > Close
Close Oracle Wallet Manager
STEP 2: Configure OHS to do the SSL
[SSL.4] Update the ssl.conf file:
$ cd $OAS_HOME/Apache/Apache/conf/
$ cp ssl.conf ssl.conf.bkp
$ nano ./ssl.conf
Update the following tags ...
## SSL Support
Listen 4446
#4446 is the SSL port number.
Find and change VirualHost setting as follows:
<VirtualHost _default_:4446>
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 70 of 113
Find and change Port setting as follows:
Port 4446
Find and change ‘SSLWallet file’ directive as follows:
SSLWallet file:/home/oracle/oim-wallets/oim_auc_ssl
Note any Certificates on the system for revocation can be
specified in the hashed file identified under
SSLCARevocationPath (see article at the end of this step for
more information on generating one suitable hashed .crl
file).
Find and change SSLCARevocationFile as follows:
SSLCARevocationFile /home/oracle/oim-wallets/oim_auc_ssl/
<name of hashed certificate revocation list file <file>.crl
downloaded and processed as specified below>
Ctrl-O
Ctrl-X
Note: the following article available via Oracle support should be used for
guidance when producing a single hashed .crl for reference as specified
above:
How to Configure CRL Checking for HTTP Server in Oracle Application Server 10g (10.1.2 - 10.1.3) [ID 418613.1]
[SSL.5] Update the httpd.conf file:
$ cp httpd.conf httpd.conf.pre.non.ssl.block.bkp
$ nano ./httpd.conf
Find <Location using <Ctrl> W
Add the following:
<Location /server-status>1
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /em>
SetHandler em
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /j2ee>
1 This first <Location …> block may already exist; do check before adding it.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 71 of 113
SetHandler j2ee
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /fastcgi>
SetHandler fastcgi
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /icons>
SetHandler icons
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /cg-bin>
SetHandler cg-bin
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /perl>
SetHandler perl
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /webapp>
SetHandler webapp
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
<Location /fcgibin>
SetHandler fcgibin
Order deny,allow
Deny from all
Allow from localhost oim.oim-test.com oim
</Location>
At the end of the file add the following lines
# Block non-SSL requests for OIM
RewriteEngine On
RewriteCond %{SERVER_PORT} ^7777$
RewriteRule ^/(.*)$ https://%{SERVER_NAME}:4446/$1 [R,L]
Ctrl-O
Ctrl-X
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 72 of 113
$ opmnctl stopall
$ opmnctl startall
[SSL.6] Test access to the User and Admin Console using the following URL:
https://oim.oim-test.com:4446/xlWebApp/ and press <ENTER>.
[SSL.7] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be as
specified in step [OIM.4].
[SSL.8] If desired the certificate from the OIM server can be copied over from /home/oracle/oim-wallets/oim-auc-ssl/oim-server.cert
and installed in IE with your Trusted CA certificate using the steps provided in:
http://technet.microsoft.com/en-us/library/dd361898.aspx
This will prevent a certificate error in the browser.
H.4 Install the Design Console with SSL enabled
[DCR.1] The following modifies the instructions from:
http://download.oracle.com/docs/cd/E10391_01/doc.910/e10368/design_conso
le.htm
to install the Design Console on a Windows Client computer.
[DCR.2] Double-click the setup_client.exe file.
[DCR.3] Choose a language from the list. The welcome page is displayed, on which
click Next.
[DCR.4] On the Target directory page, specify the path of the directory in the
Directory field, and then click Next.
[DCR.5] On the Application Server page, click Oracle Application Server, then Next.
[DCR.6] On the JRE selection page, navigate to the location where Java is installed (e.g.
C:\Program Files\Java\jre6), then Next.
[DCR.7] On the Application Server Host Information page, enter the IP address (e.g.
172.20.16.139) of the Oracle Application Server, and use the value 12701 as
the naming port, then Next.
[DCR.8] On the OIM Application Server configuration Information page, enter the IP
address (e.g. 172.20.16.139) of the OIM Web Server, and use the value 4446 as
the port, select yes for SSL, then Next.
[DCR.9] On the shortcuts page select the options desired, then Next.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 73 of 113
[DCR.10] On the summary page click Install.
[DCR.11] Click OK. The action requested here can be ignored as we will cover it under
step [DCR.14].
[DCR.12] Click Finish.
[DCR.13] Create a backup of the OIM_DC_HOME\xlclient directory. E.g. C:\Documents
and Settings\<windows username>\oracle\xlclientxlclient.ssl.bkp
[DCR.14] Replace the contents of the following directory with the contents of the /space/src/oracle/Patches/p8484010/xliclient/lib/
directory from the OIM server : OIM_DC_HOME\xlclient\lib
[DCR.15] Copy the following files:
XLDesktopClient.ear from
/space/src/oracle/Patches/p8484010/xlclient/ to
OIM_DC_HOME\xlclient
xlFvcUtil.ear from
/space/src/oracle/Patches/p8484010/xlclient/ to OIM_DC_HOME\xlclient
[DCR.16] Copy the following files:
$OAS_HOME/j2ee/home/lib/ejb.jar file on the Oracle Application
Server system to the OIM_DC_HOME\xlclient\ext directory on the
Design Console system;
$OAS_HOME/j2ee/home/oc4jclient.jar file on the Oracle
Application Server system to the OIM_DC_HOME\xlclient\ext directory on the Design Console system.
[DCR.17] In the configuration XML file, change the multicast address to match that of
Oracle Identity Manager:
a. Open the following file:
$OIM_HOME/xellerate/config/xlconfig.xml
b. Search for the <MultiCastAddress> element, and note the value
assigned to this element.
c. Open the following file:
OIM_DC_HOME\xlclient\Config\xlconfig.xml
d. Search for the <XLCacheProvider> element, and replace the value of
the <MultiCastAddress> element inside this element with the value
that you noted in Step b.
[DCR.18] After installation open the xlclient.cmd that you are using to launch the design
console in an editor (e.g. notepad.exe, or wordpad.exe)
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 74 of 113
Look for the line -DXL.ExtendedErrorOptions=TRUE -DXL.HomeDir -
If the home directory where you have the design console installed has a space
in its name, put quotes around it so that, for example, it looks like the
following:
-DXL.ExtendedErrorOptions=TRUE "-
DXL.HomeDir=C:\Documents and
Settings\username\oracle\xlclient".
[DCR.19] Enable ORMIS in the Oracle Application Server. On the OIM Server execute
the following commands in a terminal window: # su – oracle
$ cd $OAS_HOME/j2ee/oc4j_oim/config/
$ cp server.xml server.orig.xml
$ nano server.xml
Overwrite “<rmi-config path=”...” />” with <rmi-config
path=”./rmi.xml” />
Ctrl-O
Ctrl-X
$ cp rmi.xml rmi.orig.xml
$ nano rmi.xml
Modify the rmi-server element with a keystore value as
follows:
rmi-server ... ssl-port="23943"
…
…
<ssl-config
keystore="/home/oracle/oim-wallets/oim_auc_ssl/ewallet.p12"
keystore-password="value set at [SSL.1]" /> </rmi-server>
Ctrl-O
Ctrl-X
$ owm &
[DCR.20] On the OIM server, in Oracle Wallet Manager, Click WalletOpen and
browse to /home/oracle/oim-wallets/oim_auc_ssl
[DCR.21] When prompted enter the wallet password from [SSL.1].
[DCR.22] Click OperationsExport User Certificate.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 75 of 113
[DCR.23] Enter the file name oim-server.cert in the File name field and click
OK. This certificate will be used by the Design Console to trust the Oracle
Application Server.
[DCR.24] On the OIM Server execute the following commands in a terminal window: $ cd $OAS_HOME/opmn/conf
$ cp opmn.xml opmn.orig.xml
$ nano ./opmn.xml
Find the 3 occurences of <port id=”rmis
Change the first to
<port id=”rmis” range=”12702”/>
Change the second to
<port id=”rmis” range=”12701”/>
** This one is the important one as it is the oc4j container
** for oim that the Design client actually uses.
Change the third to
<port id=”rmis” range=”12703”/>
Ctrl-O
Ctrl-X
$ opmnctl stopall
$ opmnctl startall
[DCR.25] On the Design Client windows client, open C:\Documents and
Settings\<windows username>\oracle\xlclient\Config\xlconfig.xml in an xml
editor (e.g. HTML kit) or text editor. Save a copy as xlconfig.orig.xml, then:
Change
<java.naming.provider.url>ormi://SERVER_HOST:12401</java.nam
ing.provider.url>
to
<java.naming.provider.url>ormis://SERVER_HOST:12701</java.na
ming.provider.url>
Change
<ApplicationURL>http://SERVER_HOST:7777/xlWebApp/loginWorkfl
owRenderer.do</ApplicationURL>
To
<ApplicationURL>https://SERVER_HOST:4446/xlWebApp/loginWorkf
lowRenderer.do</ApplicationURL>
Save changes,
Close editor
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 76 of 113
Configure the Trust Store on the Design Console Windows Client.
[DCR.26] Copy oim-server.cert from the OIM Server to the Design Console at the
following location: C\Program Files\Java\jre6\bin. Also copy
cacerts from C:\Program Files\Java\jre6\lib\security to
C:\Program Files\Java\jre6\bin
[DCR.27] Open a command (cmd.exe) window and run the following commands on the
Design Console windows client:
> cd \Program Files\Java\jre6\bin
> keytool -import -trustcacerts -alias oim –keystore
cacerts -file oim-server.cert -storepass changeit –keypass
password from [SSL.1]
[DCR.28] Copy oim-server.cert and cacerts from C:\Program
Files\Java\jre6\bin to the following location: C:\Program
Files\Java\jre6\lib\security.
[DCR.29] Start the Design Console using the icon on the desktop, or running
xlclient.cmd from OIM_DC_HOME\xlclient and login using the
xelsysadm user and their password (see step [OIM.4] for where it was set).
H.5 Enable the Firewall
[EF.1] Using the Red Hat GUI on OIM Server login as oracle
Using Red Hat GUI, Select: Applications > System Settings > Security Level
Enter the root password when prompted
In the Firewall Options Tab select Enable Firewall
[EF.2] In the Other Ports section add: 4446:tcp, 1521:tcp, 389:tcp, 12701:tcp,
23943:tcp. Respectively these allow the following connections: SSL Admin
and User Console for OIM, Database connections, OID connections and the
SSL Design Console connections.
All other settings must be left blank.
[EF.3] For administration support during the installation/configuration the following
can also be added in Other ports: 7777:tcp, 5901:tcp, 5902:tcp, 12408:tcp; also
ALLOW SSH tick box. However, these must be removed for OIM secure
operation. Allowing other ports than those specified under [EF.2] may leave
your server(s) vulnerable to attack.
Similar steps must be repeated for the other Red Hat servers in your
configuration (e.g. as set up in this document odb and oid servers). The port
to allow on odb is 1521:tcp and the port to allow on oid is 389:tcp. No other
ports should be entered for these servers.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 77 of 113
H.6 Configure OIM Security settings
[OSS.1] On the Windows Administration Client, open the OIM Design Console using
the icon on the desktop, or running xlclient.cmd from
OIM_DC_HOME\xlclient and login using the xelsysadm user and their
password (see step [OIM.4] for where it was set).
[OSS.2] Click on the + next to Administrationdouble click on System
Configuration. Note: a single click will NOT work. The system
configuration form is displayed.
[OSS.3] Click on the binoculars/query button. The system configuration
table tab appears next to the system configuration form. The
system configuration form displays key 1, Organization
Process Inheritance.
[OSS.4] Click on System Configuration Table tab. A total of 57 configuration
options are on display. By clicking on any row of this table, the system
configuration form is updated. Fields should be updated by changing
the values as specified below on the system configuration form and
clicking save.
[OSS.5] The following table identifies the row numbers, the name of the field, and the
value with which the column is to be updated:
Keyword for update Value to update on system configuration
form
Select Save button
on system
configuration form
XL.PendingApproval.DayLimit 0 Press save
XL.DirectProvision FALSE Press save
ORG.DisableDeleteActionEnabled FALSE Press save
XL.UserProfileAuditDataCollectio
n
Resource Form Press save
XL.MaxLoginAttempts 10000 Press save
XL.MaxPasswordResetAttempts 10000 Press save
XL.SelfRegistrationAllowed FALSE Press save
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 78 of 113
Keyword for update Value to update on system configuration form
Select Save button
on system configuration form
PCQ.PROVIDE_DURING_SELF
REG
FALSE Press save
PCQ.FORCE_SET_QUES FALSE Press save
XL.EnableExceptionReports TRUE Press save
[OSS.6] All other values may be configured to adjust the behaviour of OIM without
compromising security. The values above must not be changed for security
reasons.
The single exception is system configuration table row for
XL.SelfRegistrationAllowd above. Setting it to TRUE is permitted only if an
approval task is configured for user self registration. See K.4 in this Guide for
how to configure this, otherwise self-registration must remain off (set FALSE
as above).
[OSS.7] Re-start OIM server:
oracle> su oracle
$ opmnctl stopall
$ opmnctl startall
H.7 Configure OIM Password policy
The strength of the password mechanism is essentially configurable by using
an OIM password policy. Controls that strengthen the mechanism include
setting a limit for the number of failed logon attempts before the user’s account
is locked. Also, setting a complexity check function for passwords can ensure
all passwords are over a certain length, contain certain types of characters, or
conform to other rules (such as not using certain substrings). Furthermore, time
limits on passwords (i.e. a user must change his password after a given number
of days) can reduce the time available to an attacker when guessing a particular
user’s password.
This section provides the steps required to configure and activate an OIM
password policy that ensures the password mechanism is configured securely.
Note: if a user’s account becomes locked due to the number of failed password
attempts being exceeded, this suggests automated attack. The cause should be
identified and neutralised before resetting the account.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 79 of 113
[OPP.1] On the Windows Administration Client, open the OIM Design Console using
the icon on the desktop, or running xlclient.cmd from
OIM_DC_HOME\xlclient and login using the xelsysadm user and their
password (see step [OIM.4] for where it was set).
[OPP.2] The general approach to be used for defining and applying password policies in
OIM is as follows:
1. Specify a rule for the users to which you wish to apply the password
policy;
2. Specify the password policy;
3. Add the rule specified in (1) to the Resource Object that includes the
users to whom the password policy should apply. E.g. Xellerate
User.
The detailed steps to achieve this for the basic ECG password policy in the
Design Console are specified below.
STEP 1: Specify a rule for the users to which you wish to apply the password
policy
[OPP.3] Click on Resource Managementdouble click on Rule
Designerclick on the binoculars/query button. The Rule
Designer Table is displayed next to the Rule Designer tab.
[OPP.4] Right-click on the Rule Designer tab, and click New. In the Name field
type WorksForOracle and in description type Rule to
determine if the user works for the organization,
Oracle. Under Type select General. Press save.
[OPP.5] Click on Add Element. The Edit Rule Element dialog is displayed.
Under Attribute select Organization Name. Under Operation
select ==. Under Attribute value type Oracle. Click on save. Click on
Close. If prompted with the Are you sure that you want to
close without saving your work?, click Yes. Bear in mind that
the rule element has been saved, this screen is an error.
[OPP.6] Click on the Rule Designer tab, and click New. In the Name field type
IsXellerateType, for Operation select OR and in description type
Rule to determine if the user is Xellerate. Under Type
select General. Press save.
[OPP.7] Click on Add Element. The Edit Rule Element dialog is displayed.
Under Attribute select Role. Under Operation select ==. Under
Attribute value type Xellerate User. Click on save. Click
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 80 of 113
Close. If prompted with the Are you sure that you want to
close without saving your work?, click Yes. Bear in mind that
the rule element has been saved, this screen is an error.
STEP 2: Specify the password policy
[OPP.8] Click on Administrationdouble click on Password Policies.
[OPP.9] In Policy name type ECG_OIM. In Policy Description type
Password policy for OIM ECG.
[OPP.10] In the Policy Rules tab, set the following values (leaving all others blank):
Minimum length: 6
Warn After (Days): 50
Expires After (Days): 60
Disallow Last 24 Passwords {this is the maximum allowed within OIM}
Select Custom Policy radio button
Maximum Repeated Characters: 2
Minimum Numeric Characters: 0
Minimum Uppercase Characters: 0
Characters Not Allowed: !"£%^&*()-,./?;:'@~[{]}\|`¬
(Note: the $, _ and # are allowed because an Oracle database will accept
these characters in passwords.)
Click Disallow First Name; Disallow User ID and Disallow
Last Name.
Click save.
STEP 3: Add the rule specified in STEP 1 to the Resource Object that includes
the users to whom the password policy should apply. E.g. Xellerate
User.
[OPP.11] Click on Resource Managementdouble click on Resource
Objectsclick on the binoculars/query button. The Resource
Objects Table is displayed next to the Resource Management tab.
Click on Resource Objects Table and Xellerate User row. Click
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 81 of 113
on Resource Objects. Click on Password Policies tab within the
Resource Object form.
[OPP.12] Click on Add. Double click on Rule and select WorksForOracle. Double
click on Policy and select ECG_OIM. Enter 1 in the Priority Column.
Click save.
[OPP.13] Click on Add. Double click on Rule and select IsXellerateType.
Double click on Policy and select ECG_OIM. Enter 2 in the Priority
Column. Click save.
H.8 Configure Attestation Scheduled task
When an attestation task has been completed, the Attestation scheduled task
must be enabled to put it into effect. This is achieved using the following steps:
[ATT.1] Open IE7 on the Windows Administrative client.
In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press
<ENTER>.
[ATT.2] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be the one
specified in step [OIM.4].
[ATT.3] Click on Resource ManagementManage Scheduled Task.
[ATT.4] Select Scheduled Task name from the drop down. In the box next to it
type Initiate Attestation Processes.
[ATT.5] Click on Initiate Attestation ProcessesEdit.
[ATT.6] Change status to Enabled.
[ATT.7] Change Frequency to Every hour.
[ATT.8] Ensure Next Start is set to today’s date.
[ATT.9] Click Continue. Click Save Changes.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 82 of 113
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 83 of 113
Annex I Oracle Identity Management Connectors
This Annex specifies how to install the OIM Connectors that enable OIM to
interoperate with the Database and OID Servers.
It requires a working OIM patched to 9.1.0.2 (See Annex D); a Windows
Administration Client configured as per section 3.2 of this document; and the
installation of the target OID and Database instances as per Annexes E and F
respectively. Both the Database and OID should be started up as per Annex B.2
and B.3.
Note: local configuration of Connectors using Firefox, or another browser
on the OIM server will not work.
I.1 Install the Database Connector
These steps are adapted to be more prescriptive from [DBCG, 2], however the
steps are the same. If problems are experienced, it is worth being able to quote
from [DBCG, 2] in communication with Oracle Support.
[CON.1] Copy the following scripts from OIM_HOME/XLIntegrations/DatabaseAccess/SQLScripts/OIM
.sh;
OIM_HOME/XLIntegrations/DatabaseAccess/SQLScripts/*.s
ql
to the odb machine in \tmp. Then run the following commands in a terminal
window as root on odb: oradb> su root
# cd /tmp
# cp ./OIM.sh /u01/app/oradb/product/10.2.0/db/config
# cp ./*.sql /u01/app/oradb/product/10.2.0/db/config
# cd /u01/app/oradb/product/10.2.0/db/config
# chown oradb:oinstall *
# chmod 750 *
# exit
[CON.2] Run the following commands in the same terminal window as oradb on odb: oradb> su – oradb
oradb> sqlplus / as sysdba
SQL> create user oim_provision_user
> identified by <secure password: should be at least 6
characters and not be a dictionary word, be alpha-numeric and have
at least one number, capital letter; optionally one special
character from the following: $, _, #>;
SQL> grant connect, dba to oim_provision_user;
SQL> quit
oradb> ./OIM.sh
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 84 of 113
When prompted enter the following:
Enter the ORACLE_HOME : /u01/app/oradb/product/10.2.0/db
Enter the System User name sys
Enter the name of the database :: odb
System User is Connecting to Oracle
Enter password
<password for sys> see [ODB.27]
Enter value for username: oim_provision_user
Enter the username as many times as requested.
The above commands create the OIM provisioning user on the database and
assigns the required privileges to it. This will be configured for use in
provisioning OIM data to odb in OIM later on. The OIM.sh script sets up the
database for use with OIM.
[CON.3] On the OIM server check that the ojdbc14.jar file is in
$OIM_HOME/xellerate/ThirdParty.
If not copy ojdbc14.jar from odb:$ORACLE_HOME/jdbc/lib to
$OIM_HOME/xellerate/ThirdParty on the OIM Server.
[CON.4] On the OIM Server, run the following command in a terminal window as
Oracle: oracle> cp -r /space/src/oracle/Connectors/Database_UM_90450
$OIM_HOME/xellerate/ConnectorDefaultDirectory
[CON.5] Open IE7 on the Windows Administrative client.
Note: the browser must be IE5 or above or the installation of the Connectors will fail.
In the URL bar, enter http://oim.oim-test.com:4446/xlWebApp/ and press
<ENTER>.
[CON.6] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be the one
specified in step [OIM.4].
[CON.7] Click Deployment Management and then click Install Connector.
[CON.8] From the Connector List, select Database Access 9.0.4.5.
[CON.9] Click Load.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 85 of 113
[CON.10] To start the installation process, click Continue.
[CON.11] The following tasks are performed in sequence:
a. Configuration of connector libraries
b. Import the connector Target Resource user configuration XML file
(by using the Deployment Manager).
c. Compilation of adapters.
Each task should complete successfully with a green tick beside each. A
message is also displayed indicating successful installation. This message also
provides a list of steps that must be completed next.
[CON.12] Complete the following pre-requisites applicable to an Oracle database
connection:
The connector files to be copied and the directories to which you must copy them are as below:
Files in the config directory --> OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/config
Files in the test/config directory --> OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/config
Files in the test/scripts directory --> OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/scripts
Depending on the target system, perform the steps given below to copy external code files:
For connectors used with Oracle Database 10g, the required external code file is ojdbc14.jar. This JAR files is available in the Oracle Database installation at ORACLE_HOME/jdbc/lib. Copy the required JAR file (ojdbc14.jar) into the OIM_HOME/xellerate/ThirdParty directory.
[CON.13] When the pre-requisites have been addressed, the next step is to configure an
IT resource for the Database. Expand Resource Management in the
Administrative and User Console.
[CON.14] Click Create IT Resource.
[CON.15] On the Step 1: Provide IT resource Information screen,
Enter odb in the IT resource name, and select Database server by
clicking on the magnifying glass icon and clicking the appropriate radio button.
Click on Continue. Leave Remote Manager field blank.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 86 of 113
[CON.16] On the Step 2: Specify IT Resource Parameter Values screen, enter the following values:
Parameter name Value to be entered
DatabaseName Odb
DataBaseType Oracle
delay_retry 10000
Driver oracle.jdbc.driver.OracleDriver
isSecure No
max_retry 3
Password <Password for oim_provision_user on
DB>
TargetLocale:
Country
US
Target
Locale:Language
En
URL jdbc:oracle:thin:@oraclehost.<domain>:
1521:oracledatabase
e.g. jdbc:oracle:thin:@odb.sme1.com:
1521:odb
UserID oim_provision_user
[CON.17] On the Step 3: Set permission to IT Resource screen, accept
default by clicking on Continue.
[CON.18] On the Step 4: Verify IT Resource Details screen, accept
default by clicking on Continue.
[CON.19] On the Step 5: IT Resource Connection Result screen, the
connection test passes. Click on Continue.
[CON.20] On the Step 6: IT Resource Created screen, click on Finish.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 87 of 113
[CON.21] Run the following command in a terminal window on the OIM Server as
oracle: su - oracle
oracle> sqlplus oim_manager/<oim_manager password>
SQL> ALTER TABLE SVP MODIFY SVP_FIELD_VALUE VARCHAR2(2000);
SQL returns “Table altered.”
SQL> QUIT
The Database Connector has now been installed.
I.2 Install the Oracle Internet Directory Connector
These steps are adapted to be more prescriptive from [OCG, 2]. If problems are
experienced, it is worth being able to quote from [OCG, 2] in communication
with Oracle Support.
[CON.22] On the OIM Server, run the following command in a terminal window as
Oracle: oracle> cp -r /space/src/oracle/Connectors/Oracle_OID_90450
$OIM_HOME/xellerate/ConnectorDefaultDirectory
[CON.23] On the OIM Server, run the following command in a terminal window as Oracle: oracle> cd $OIM_HOME/xellerate/ConnectorDefaultDirectory/
Oracle_OID_90450/Batch/custom
Modify the syntax of custom.bat to provide the host name, port and OID
superuser DN and password, for example:
oracle> nano custom.bat
red text below is descriptive and should not be entered in the custom.bat.
ldapmodify -h oim {host} -p 389 {port} -D "cn=orcladmin" {OID super
user}-w ias_pwd {password}-c -f customRoleOccupant.ldif
ldapadd -h oim -p 389 -D "cn=orcladmin" -w ias_pwd -c -f customIndex.ldif
ldapmodify -h oim -p 389 -D "cn=orcladmin" -w ias_pwd -c -f
customOrganizationalRole.ldif
ctrl-O
ctrl-X
Then run the following commands in the terminal window on the OIM server: oracle> chmod 770 custom.bat
oracle> mv custom.bat custom.sh
Copy custom.sh onto the oid server in the following location: /tmp
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 88 of 113
Run custom.sh on oid as orainfra with oid running: oid> /tmp/custom.sh
[CON.24] On oid, in a terminal window as orainfra, run the following command: orainfra> catalog connect="INFRA1DB" add="TRUE"
attribute="modifytimestamp"
orainfra> opmnctl stopall
orainfra> opmnctl startall
[CON.25] Use the commands in [OCG, 2.3] to download ldap.jar and ldapbp.jar from the
Oracle/Sun Web site. This should be copied into:
$OIM_HOME/xellerate/ThirdParty on the OIM server.
[CON.26] On the Windows Administration Client computer, open IE7.
Note: the browser must be IE5 or above or the installation of the Connectors will fail.
[CON.27] In the URL bar, enter http://oim.oim-test.com:7777/xlWebApp/ and press
<ENTER>.
[CON.28] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be as
specified in step [OIM.4].
[CON.29] Click Deployment Management and then click Install Connector.
[CON.30] From the Connector List, select Oracle_OID_90450.
[CON.31] Click Load.
[CON.32] To start the installation process, click Continue.
[CON.33] The following tasks are performed in sequence:
a. Configuration of connector libraries
b. Import the connector Target Resource user configuration XML file
(by using the Deployment Manager).
c. Compilation of adapters.
Each task should complete successfully with a green tick beside each. A
message is also displayed indicating successful installation. This message also
provides a list of steps that must be completed next.
[CON.34] The pre-requisites have already been addressed, so skip these.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 89 of 113
[CON.35] The next step is to configure an IT resource for the Internet Directory.
Expand Resource Management in the Administrative and User
Console.
[CON.36] Click Create IT Resource.
[CON.37] On the Step 1: Provide IT resource Information screen,
Enter oid in the IT resource name, and select OID server by
clicking on the magnifying glass icon and clicking the appropriate radio button.
Click on Continue. Leave Remote Manager field blank.
[CON.38] On the Step 2: Specify IT Resource Parameter Values
screen, enter the following values:
Parameter name Value to be entered
Admin Id cn=orcladmin
Admin Password <password for cn=orcladmin>
CustomizedReconQuery <Leave blank>
Last Target Delete
Recon TimeStamp
<Leave blank>
Last Trusted Recon
TimeStamp
<Leave blank>
Last Trusted Delete
Recon TimeStamp
<Leave blank>
Last Target Recon
TimeStamp
<Leave blank>
Port 389
Prov Attribute Lookup
Code
AttrName.Prov.Map.OID
Recon Attribute Lookup
Code
AttrName.Recon.Map.OID
Root DN e.g. o=acme
Server address IP address of Directory server,
e.g. 172.20.18.211
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 90 of 113
Parameter name Value to be entered
SSL False
Use XL Org Structure False
[CON.39] On the Step 3: Set permission to IT Resource screen, accept
default by clicking on Continue.
[CON.40] On the Step 4: Verify IT Resource Details screen, accept
default by clicking on Continue.
[CON.41] On the Step 5: IT Resource Connection Result screen, note
that the top line states “Test connectivity is not supported for the IT Resource
Type OID Server.” However, in red at the bottom of the screen a message
“Click back to correct the connection parameters and re-test connection ...” is
displayed. The top message is true and the bottom message is misleading. Click
on Continue. The connection will be tested later when the resource is
configured.
[CON.42] On the Step 6: IT Resource Created screen, click on Finish.
The OID Connector has now been installed.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 91 of 113
Annex J Configure Database and Internet Directory Connectors
The full range of features and configuration items for Database and OID
Connectors are specified in [DBCG, 3] and [OCG, 3]. The instructions in this
document configure the Database as a resource for provisioning from OIM, and
OID as a trusted source for reconciliation.
This set up was used by the evaluators as a starting point configuration for their
testing.
J.1 Database Connector Configuration
[CON.43] On the Windows Administration Client, open the OIM Design Console using
the icon on the desktop, or running xlclient.cmd from
OIM_DC_HOME\xlclient and login using the xelsysadm user and their
password (see step [OIM.4] for where it was set).
[CON.44] Click on the + next to Development Tools, and double click on
Adapter Manager. Note: a single click will NOT work.
The Compile All Adapters form tab is shown in the display pane.
[CON.45] Click on Compile All and then click Start to compile adapters.
J.2 Configure Database Provisioning Test data
In order to test OIM the Oracle DB was used as a resource to which users in
OIM can be provisioned. Within OIM an Organization named Oracle was
created along with 3 user groups: Oracle Users, DBAs and Oracle Managers.
OIM is configured such that the Oracle Managers group had Administration
privileges over the 2 other groups.
An Access Policy is created that automatically provisions users within the
DBA group with the Oracle Database resource. In addition, members of the
other 2 Oracle groups could request the Oracle Database resource subject to the
approval of the user’s Manager.
The steps that implement this configuration are as follows continuing on the
Administrative Design Console:
J.2.1 Configure User types
Goal: adds a number of user types to the Lookup called by the Create User
menu item in the Admin and User Console.
[CON.46] Click on Administration and Double click on Lookup Definition.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 92 of 113
The Lookup Definition form tab is shown in the display pane.
[CON.47] In the Code field type Lookup.Users.Role, then select menu item
ToolBar and click Query.
Under Group field enter “OIM Evaluation”.
[CON.48] Click Add, and provide entries for
Oracle Manager
Oracle User
Oracle DBA
Xellerate {this will be used for XELSYSADM user}
J.2.2 Configure Rules for User types
Goal: Add a rule for each user type that will be tested during system events
like user creation/modification to determine whether a user is or has been
associated with user type. Rules can then be used to trigger work flows within
OIM e.g. provision a user in group Oracle DBA without requiring that they
have approval from a manager.
[CON.49] Click on Resource Management and double click on Rule Designer.
The Rule Designer tab is shown in the display pane.
[CON.50] In the Name field type IsOracleManager.
[CON.51] Select type General.
[CON.52] In Description field type Rule to determine if a user is an
Oracle Manager based on Employee type. Click save button.
[CON.53] Click on Add Element.
Edit Rule Element dialog is displayed.
[CON.54] Select Attribute as Role, Operation as == and enter Attribute
value as Oracle Manager. Click save button and close – answer Yes to
confirm save dialog box, it is already saved anyway.
[CON.55] Right click on Rule Designer tab at the bottom of the console, and select
New.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 93 of 113
[CON.55] Repeat steps [CON.50] to [CON.55] to create rules for IsOracleUser and
IsOracleDBA.
J.2.3 Configure Database Provisioning Form
Goal: Process definitions are used within OIM to specify work flows, e.g. a
provisioning process to create an OIM user identity within a resource like an
Oracle database. Each process has a form that specifies the data to be used.
Process definitions can be configured according to the desired behaviour. In
this case, by clicking on “auto pre-populate”, we are telling OIM to ensure that
to run the pre-populate adapters for any data items in the associated form,
where present. These pre-populate adapters will populate the fields on the form
with data.
In this case, we want to pre-populate the IT Resource (odb), the Username and
the Password. But we’ll get that later.
[CON.56] Click on Process Management and double click on Process
Definition.
The Process Definition tab is shown in the display pane.
[CON.57] Right click on Process Definition tab at the bottom of the console, and
select Query.
[CON.58] Click on Process Definition Table tab. Click on Database
Access Oracle User. Note the associated form is UD_DB_ORA_U.
[CON.59] Click on Process Definition tab. Click Auto Pre-populate and
Auto Save Form. Click the save button.
J.2.4 Specify the Pre-populate Rule for use during Database Access Oracle User process
Goal: This configures a rule used to determine when the UD_DB_ORA_U form
(i.e. the form used to inform the provisioning of the database) will be pre-
populated. In this case, it will be performed when the user processed by OIM is
part of the Oracle organization.
The object from which the data will be pre-populated is the Database
Access Oracle User RO (Resource Object), and the process calling the
auto pre-populate is Database Access Oracle User.
[CON.60] Click on Rule Designer tab, and right click the tab and select New.
[CON.61] In the Name field type Oracle Prepopulate Rule.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 94 of 113
[CON.62] In the Description field type Prepopulate fields in the
Provisioning Form.
[CON.63] In the Type field select Pre-populate.
[CON.64] In the Sub-Type field select User Provisioning.
[CON.65] Double click in the Object field and select Database Access Oracle
User RO.
[CON.66] Double click in the Process field and select Database Access
Oracle User RO. Click the save button.
[CON.67] Click on Add Element.
Edit Rule Element dialog is displayed.
[CON.68] Select Attribute source as Request Target Information,
Attribute as Organization Name, Operation as == and enter
Attribute value as Oracle. Click save button and close – answer
Yes to confirm save dialog box, it is already saved anyway.
J.2.5 Modify the UD_DB_ORA_U form to pre-populate the data we need to create a user identity in the database.
Goal: modify the form so that username, password and IT Resource
are pre-populated when the rule defined above (Oracle Prepopulate
Rule) is true – i.e the user is in Organization called Oracle.
The tool in OIM that actually performs the work is an Adapter that works out
of the box from the database connector. The Adapter is called DB
Prepopulate UserLogin.
[CON.69] Click on Development Tools, and double click on Form Designer.
Form Designer tab is opened in display pane.
[CON.70] Right Click on Form Designer, and click on Query.
Form Designer Table tab is opened in display pane with UD_DB_ORA_R in
Table name. Use Form Designer Table tab to locate
UD_DB_ORA_U, select it, and click YES. Control is then returned to Form
Designer Table with UD_DB_ORA_U in Table name.
[CON.71] Click on Create New Version.
[CON.72] In the Label field enter Version 2. Save and Close.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 95 of 113
[CON.73] In Current Version select Version 2.
[CON.74] Click the Pre-Populate tab. Click Delete and YES. Click Add. Input the
following:
[CON.75] Field Name : IT Resource.
[CON.76] Double click in the Rule field and select Oracle Pre-populate Rule.
[CON.77] Double click in the Adapter field and select DB Pre-populate
UserLogin.
[CON.78] Order : 1.
[CON.79] Click Save.
[CON.80] Select the inputValue and click on Map, input the following:
[CON.81] Map To : IT Resources.
[CON.82] Qualifier : odb.
[CON.83] Save and Close and Close.
[CON.84] On the Pre-Populate window click Add. Input the following:
[CON.85] Field Name : Username.
[CON.86] Double click in the Rule field and select Oracle Prepopulate Rule.
[CON.87] Double click in the Adapter field and select DB Prepopulate
UserLogin.
[CON.88] Order : 2.
[CON.89] Click Save.
[CON.90] Select the inputValue and click on Map, input the following:
[CON.91] Map To : User Definition.
[CON.92] Qualifier : User Login.
[CON.93] Click Save and Close and Close.
[CON.94] On the Pre-Populate window click Add. Input the following:
[CON.95] Field Name : Password.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 96 of 113
[CON.96] Double click in the Rule field and select Oracle Prepopulate Rule.
[CON.97] Double click in the Adapter field and select DB Prepopulate
UserLogin.
[CON.98] Order : 3.
[CON.99] Click Save.
[CON.100] Click on Map, input the following:
[CON.101] Map To : User Definition.
[CON.102] Qualifier : Password.
[CON.103] Click Save and Close and Close.
[CON.104] Click Make Version Active.
[CON.105] Click Save and Close.
J.2.6 Configure Approval processes: suppress the standard approval
[CON.106] Select Process Management -> double click Process Definition.
[CON.107] Search for Standard Approval on the Process Definition
Table tab. Click on it.
[CON.108] Back on the Process Definition tab, select the Tasks tab.
[CON.109] Double click on the grey area on the left of the Approve Task. This will open
the configuration for the task after asking if you want to close without saving
your work (to which you reply YES; it’s an ambiguity in the user interface). If
you click anywhere else nothing happens.
[CON.110] Click on the Integration tab, click Add, select the System radio button.
[CON.111] Select the tcCompleteTask Handler. Save and close. When prompted
for completing without saving, click YES; it’s an ambiguity in the user
interface.
J.2.7 Configure Approval processes: create new Database approval
[CON.112] Select Process Management -> double click Process Definition
[CON.113] In the name field, type Database Access
[CON.114] Double click in the field Type and select Approval and OK.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 97 of 113
[CON.115] Double click in the Object Name field and select Database Access
Oracle User RO and OK.
[CON.116] Table Name: leave this blank.
[CON.117] Click Save.
[CON.118] Under the Tasks tab click Add and input the following:
[CON.119] For Task Name enter Managers Approval.
[CON.120] Description: Managers approval process for the database
resource.
[CON.121] Click Save.
[CON.122] Select the Assignment tab, double click in the Target type field
[CON.123] Select Target User’s Manager
[CON.124] Remove the XELSYSADM entry from the User field.
[CON.125] Click the General Tab, and under Task Properties box, find Task
Effect and select Enables Process or Access to
Application. Click Save and Close. In response to the closing form
click YES; it’s an ambiguity in the user interface.
[CON.126] Click Save and Close the Process Definition.
J.2.8 Create new Organisation and related Groups
These configuration steps must be run from the Windows Administration client
computer, using the OIM Administrative and User Console.
Goal: to create an organization Oracle, and three groups, one for each
employee type created above. Rules are also put in place to ensure automatic
allocation of users for each employee type into the correct access control
group.
[CON.127] On the Windows Administration Client computer, open IE7.
[CON.128] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press
<ENTER>.
[CON.129] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be as
specified in step [OIM.4].
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 98 of 113
[CON.130] Click on Organizations -> Create
[CON.131] Enter a Name: Oracle.
[CON.132] Click on the Create button.
[CON.133] Click on User Groups -> Create
[CON.134] Enter a Group Name: Oracle Managers
[CON.135] Click on the Create button.
[CON.136] On the Group Details screen, select Membership Rules from the
dropdown menu.
[CON.137] Click on the Assign Rules button.
[CON.138] Select the isOracleManager tick box and click the Assign button.
[CON.139] Click on the Confirm Assign button.
Repeat the steps [CON.133] to [CON.139] to create Groups named Oracle
Users and Oracle DBA. These steps ensure that each group has the
appropriate rule assigned to them. So, when users of the respective employee
types are created, they are added to the their respective access control groups
automatically.
J.2.9 Assign Xellerate built in users a suitable employee type
Goal: ensure the Xellerate users are of suitable employee type so that
operations on them (e.g. change password) work correctly.
[XEL.1] Click on Users-> Manage
[XEL.2] Click on the Search Users button.
[XEL.3] Find xelsysadm from the list and select it.
[XEL.4] Change Employee Type to Xellerate. Click Save.
J.2.10 Create Menu Items for the Oracle Manager Group
Goal: ensure that the Oracle Manager user group is able to manage users (e.g.
provision them or delete them), request their own resource access (e.g. to the
database) and check their open tasks (e.g. a request to access the database from
a more junior member of Oracle staff).
[CON.140] Click on User Groups -> Manage
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 99 of 113
[CON.141] Click on the Search button.
[CON.142] Select Oracle Managers from the list.
[CON.143] Select Menu Items from the drop down list.
[CON.144] Click on the Assign Menu Items button.
[CON.145] Locate and select (click the tick for) the menu items below. When all items are
ticked on the screen that you can see, Click on Confirm Assign button, and
then click on Assign Menu Item to continue assigning items on the next
relevant screen. The items are:
[CON.146] Manage Users menu item
[CON.147] Request Resources menu item.
[CON.148] To-Do List Open Tasks menu item.
J.2.11 Reconcile the Roles and Privileges from odb so they can be assigned
to users provisioned to the database.
[CON.149] On the Windows Administration Client, open the OIM Design Console using
the icon on the desktop, or running xlclient.cmd from
OIM_DC_HOME\xlclient and login using the xelsysadm user and their
password (see step [OIM.4] for where it was set).
[CON. 150] Click on the + next to Administration, and double click on Task
Scheduler. Note: a single click will NOT work.
[CON. 151] Click Query (i.e. the binoculars button, or right click on Task Scheduler
tab, and click Query). The results are displayed on the two available tabs.
[CON. 152] Click on DBAccessLookupReconTask in the Task Schedule Table
tab. Click on Task Scheduler tab to edit fields.
[CON. 153] On Max Retries enter 5.
[CON. 154] Untick Disabled so that its check box is clear. Do the same if necessary for
Stop Execution.
[CON. 155] In the Start region, double-click the Start Time field. From the
date-time editor that is displayed, select the date and time to cause
it to run in the next 5 minutes or so (i.e. soon).
[CON. 156] In the Interval region, select the once interval for the task.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 100 of 113
[CON. 157] In the Task Attributes, enter the following entries by double clicking on
each Attribute value (for more information on the attribute meanings see
[OCG, pg 44]:
Attribute name Attribute Value to be entered
Server Odb
LookupFieldName UD_Lookup.DB_ORA_Roles
Exclusion List None
[CON.158] Click Save. The scheduled task is created. The INACTIVE status is displayed
in the status field because the task is not currently running. The task is run
at the date and time set in [CON. 155].
[CON.159] When the task has run, repeat steps from [CON.155] but use
UD_Lookup.DB_ORA_Privileges in the LookupFieldName at
[CON.157].
Note: you can force the schedule task to run immediately by using the
following click sequence from the User and Admin console:
Resource Management Manage Scheduled Task Search Last
DBAccessLookupReconTask Run now
J.2.12 Create Provisioning Access Policy for DBA users
[CON.160] Click on Access Policies -> Create
[CON.161] Step 1, Enter Access Policy Name : Database Access
[CON.162] Enter Description : Access Policy to allow users in the
DBA Group to be provisioned with the database
resource.
[CON.163] Provision : Without Approval
[CON.164] Leave Retrofit Access Policy ticked.
[CON.165] Click Continue
[CON.166] Select Database Access Oracle User RO click Add
[CON.167] Click Continue
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 101 of 113
[CON.168] Click Continue
[CON.169] For IT resource leave these fields blank. The values will be pre-populated
at run-time by the rules configured above.
[CON.170] Click Continue
[CON.171] Click Continue (select the Revoke tick box to test what happens when
someone is no longer a DBA)
[CON.172] Step 3, Continue
[CON.173] Step 4, Select the DBA group, click Add
[CON.174] Click Continue
[CON.175] Under Resources to be provisioned by this access
policy, click edit next to Database Access Provisioning form
for Oracle User.
[CON.176] Select the drop down next to You can edit the additional
details data for this form: and click on Grant/Revoke
roles magnifying glass iconCONNECT radio
buttonSelectAddClose.
Note: this step and [CON.175] will only work if steps [CON.148] to
[CON.159] have been performed.
[CON.175] Step 5 click Create Access Policy.
J.2.13 Update Resource Object settings
[CON.176] On the Windows Administration Client, open the OIM Design Console using
the icon on the desktop, or running xlclient.cmd from
OIM_DC_HOME\xlclient and login using the xelsysadm user and their
password (see step [OIM.4] for where it was set).
[CON.177] Click on Resource ManagementResource
ObjectsBinoculars Button (Query). In the Resource Objects
Table, click Database Access Oracle User RO. Click on the
Resource Objects tab. Database Access Oracle User RO is
displayed in the Object Definition.
[CON.178] Uncheck Auto Pre-populate; Check the following: Allow Multiple,
Auto Save, Self Request Allowed, Allow All, and Auto Launch.
Click Save. Exit the Design Client.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 102 of 113
J.3 Oracle Internet Directory Connector Configuration
The following steps configure the installed OID instance to operate as a trusted
source for reconciliation.
These configuration steps must be run from a Windows Administration client
computer, using the OIM Administrative and User Console.
J.3.1 Run OIM user script to prepare for reconciliation
[OID.1] On the Windows Administration Client computer, open IE7.
Note: the browser must be IE5 or above.
[OID.2] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press
<ENTER>.
[OID.3] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be as
specified in step [OIM.4].
[OID.4] Click the Deployment Management link on the left navigation bar.
[OID.5] Click the Import link under Deployment Management. A dialog box for
opening files is displayed.
[OID.6] Using Windows tools:2
Copy the oimUser.xml file from: /space/src/oracle/Connectors/Oracle_OID_90450/xml
Copy this file on the Windows Admin client to a known location (e.g.
C:\temp).
Back with OIM application: Select this file from the copy location on the Windows Admin client.
Details of this XML file are shown on the File Preview page.
Click Add File.
[OID.7] The substitutions page is displayed. Click Next.
[OID.8] The confirmation page is displayed. Click Next.
2 Note for this task the Admin and User Console on the OIM Server using the Firefox browser
can also be used. If there are Java problems on your Windows Client, this is a good
workaround while you get that sorted out. To use this follow OID.3 – OID.5, then access the
oimUser.xml file directly using the path in OID.6 and click Add file. Then follow from OID.7.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 103 of 113
[OID.9] Click Import.
[OID.10] Click Import when prompted by Are you sure? message.
Import Successful message should be displayed.
Close Window.
Continue configuration on the Design console as follows:
J.3.2 Configure scheduled task to execute reconciliation.
[OID.11] On the Windows Administration Client, open the OIM Design Console using
the icon on the desktop, or running xlclient.cmd from
OIM_DC_HOME\xlclient and login using the xelsysadm user and their
password (see step [OIM.4] for where it was set).
[OID.12] Click on the + next to Administration, and double click on Task
Scheduler.
[OID.13] Click Query (i.e. the binoculars button, or right click on Task Scheduler
tab, and click Query). The results are displayed on the two available tabs.
[OID.14] Click on OID Lookup Reconciliation Task in the Task
Schedule Table tab. Click on Task Scheduler tab to edit fields.
[OID.15] On Max Retries enter 5.
[OID.16] Untick Disabled so that its check box is clear. Do the same if necessary for
Stop Execution.
[OID.17] In the Start region, double-click the Start Time field. From the
date-time editor that is displayed, select the date and time at which
you want the task to run.
[OID.18] In the Interval region, select the desired interval for the task.
[OID.19] In the Task Attributes, enter the following entries by double clicking on
each Attribute value (for more information on the attribute meanings see
[OCG, pg 44]:
Attribute name Attribute Value to be entered
LookupCodeName Lookup.OID.Organization
ITResourceName Oid
SearchContext ou=production,o=acme
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 104 of 113
Attribute name Attribute Value to be entered
ObjectClass Organization
CodeKeyLTrimStr [NONE]
CodeKeyRTrimStr [NONE]
ReconMode UPDATE
AttrType Ou
[OID.20] Click Save. The scheduled task is created. The INACTIVE status is displayed
in the status field because the task is not currently running. The task is run
at the date and time set in [OID.17].
Note: you can force the schedule task to run immediately by using the
following click sequence from the User and Admin console:
Resource Management Manage Scheduled Task Search
OID Lookup Reconciliation Task Run now
[OID.21] Click on OID User Recon in the Task Schedule Table tab. Click on
Task Scheduler tab to edit fields.
[OID.22] On Max Retries enter 5.
[OID.23] Untick Disabled so that its check box is clear. Do the same if necessary for
Stop Execution.
[OID.24] In the Start region, double-click the Start Time field. From the
date-time editor that is displayed, select the date and time at which
you want the task to run.
[OID.25] In the Interval region, select the desired interval for the task.
[OID.26] In the Task Attributes, enter the following entries by double clicking on
each Attribute value (for more information on the attribute meanings see
[OCG, pg 45 – 46]:
Attribute name Attribute Value to be entered
IsNativeQuery No
ITResourceName Oid
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 105 of 113
Attribute name Attribute Value to be entered
ResourceObjectName OID User
XLDeleteUsersAllowed False
UserContainer ou=production,o=acme
Keystore [NONE]
Organization Acme
Xellerate Type End-User
Role acme production user
TrustedSource True
PageSize 100
[OID.27] Click Save. The scheduled task is created. The INACTIVE status is displayed
in the status field because the task is not currently running. The task is run
at the date and time set in [OID.24].
Note: you can force the schedule task to run immediately by using the
following click sequence from the User and Admin console:
Resource Management Manage Scheduled Task Search Last
OID User Recon Run now
J.3.3 Configure the roles for oid users within OIM.
[OID.28] Click on Administration and Double click on Lookup Definition.
The Lookup Definition form tab is shown in the display pane.
[OID.29] In the Code field type Lookup.Users.Role, then click Query on the
toolbar.
[OID.30] Click Add, and provide entries for
acme production user
acme delivery user
acme accounts user
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 106 of 113
J.3.4 Create the user test data for reconciliation in oid.
[OID.31] In oid, create the following entries in the directory in hierarchy to use as test
data for reconciliation:
o=acme
ou=production
cn=<create user name> (e.g. John Smith)
cn=<create user name>
ou=delivery
cn=<create user name>
cn=<create user name>
ou=accounts
cn=<create user name>
cn=<create user name>
Note: the instructions in [OID.19] and [OID.26] configure reconciliation
for the production organisation unit. The other ou’s can also be used to
test if configured.
In order to reconcile with OIM the OID users must have the following
objectclasses added: top, person, organizationalPerson, inetOrgPerson,
orclUser, and orclUserV2.
J.3.5 Post-reconciliation task for Administrators
[OID.32] Users reconciled from Oracle Internet Directory as a trusted source are given a
password that is the same as their cn attribute in the directory. This is a
potential vulnerability for a secure configuration.
The way to lockdown OIM securely after trusted reconciliation is for the
Administrator to manually change the password for every user reconciled to a
different secure value (where secure means a password that is at least 6
characters and not be a dictionary word, be alpha-numeric and have at least one
number, capital letter; optionally one special character from the following: $, _,
#).
These passwords must then be securely communicated to users as required.
The steps to perform a password change are as follows:
[OID.33] On the Windows Administration Client computer, open IE7.
[OID.34] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press
<ENTER>.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 107 of 113
[OID.35] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm. The password will be as
specified in step [OIM.4].
[OID.36] Click UsersManage.
[OID.37] In the first drop down box select Organization.
[OID.38] In the value box, type the name of the organization from which users have been
reconciled, e.g. acme. Click Search User.
[OID.39] For each of the users displayed, where a secure password has not already been
set the following steps should be followed:
[OID.40] Click on the userid in the table of displayed users. The user details are
displayed.
[OID.41] Click on the Change Password button.
[OID.42] Enter a secure value (a password that is at least 6 characters and not be a
dictionary word, be alpha-numeric and have at least one number, capital
letter; optionally one special character from the following: $, _, #) for
password and confirm it in the following box. It may be wise to compile a table
of user names with their secure passwords for reference as you go. However,
this table must be stored securely until all the users have updated their
passwords.
[OID.43] Click on the Change Password at next logon check box.
[OID.44] Click on the Save Password button.
[OID.45] The User detail screen is displayed. Click on Back to Search Results to
find the next user to change. Repeat steps [OID.40] to [OID.44] for all users
where a password change is necessary.
[OID.46] A procedure must be agreed with end users so that they can securely request/be
provided with their passwords for OIM from the administrator as required.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 108 of 113
Annex K Guidance for Secure Administration
This section provides guidance for administering the OIM that must be
followed to ensure that OIM remains in the secure state. It is complementary to
the documentation provided in the Oracle guidance documentation for OIM.
K.1 Web Browsing and OIM access
All privileged users should ensure that after performing their tasks, they log off
and close down their browser before browsing to other sites. If access to other
websites is required at the same time as access to OIM administration features,
a different browser should be used (i.e. not Internet Explorer).
K.2 Creating or updating an administrative group within OIM
The administration user creating or updating an administrative group must
ensure that they set read, write and delete permissions for the group that they
create explicitly. The default values should not be relied upon.
K.3 Updating menu items within OIM
Using TOE facilities described in [OIMCG, 8 and 9], the administrator can
customize the menus, by which users access OIM features, by performing
operations such as adding new menu items for groups and renaming existing
menu items.
Administrators must test thoroughly any such customizations that they perform
before making them available to users in a live system. Failure to do this
testing may result in inappropriate access being granted, or features removed
from users where this was not intended.
K.4 Ensuring secure Approval process for OIM Access Policies
When creating access policies, an administrator must ensure that “With
Approval” be selected for a policy where users require management approval
prior to access being permitted (see [OIMAG, 11:CreatingAccessPolicies]. If
the administrator omits to select “With Approval” (the OIM default is
“Without Approval”), then users may get access to resources without the
required authorisation.
Administrators can use the Administrative and User Console to check whether
“With Approval” was selected for a particular policy by viewing the policy as
described in [OIMAG, 11:Managing Access Policies].
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 109 of 113
K.5 Enabling secure Self-Registration for OIM
Self-registration is configured OFF by default in this guide (see H.6, [OSS.5]).
If self-registration is switched ON (see H.6, [OSS.6] for how), then an approval
task must be defined for the User Registration approval process so that users
have to get approval before being granted OIM user accounts.
Instructions for how to set up a User Registration approval task are
as follows:
[CSR.1] On the Windows Administration Client computer, open IE7.
[CSR.2] In the URL bar, enter https://oim.oim-test.com:4446/xlWebApp/ and press
<ENTER>.
[CSR.3] The OIM Administrative and User Console logon screen is
displayed in the browser. Login as xelsysadm.
[CSR.5] Navigate to User GroupsCreate.
[CSR.6] Enter Group Name Managers and click Create.
[CSR.7] Navigate to UsersManage. Click Search Users.
Select the users to include in the Managers group and add them using the following steps.
This will be the group authorised to approve Users who self-register.
[CSR.8] Click on the User ID of the user to include.
[CSR.9] Use the “you can view additional details about this
user” drop down and select Group Membership
[CSR.10] Click Assign.
[CSR.11] Check the Managers group and Click Assign Group. Managers group
is assigned to selected user and appears in the table showing the group member
ship for the user.
[CSR.12] Click User Detail to return up menu structure.
[CSR.13] Click Back to Search Results to view the list of users.
Ensure that this group contains the xelsysadm user using the above instructions. Repeat as
necessary for each user to be added to the Managers group.
[CSR.14] Open the Design Console.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 110 of 113
[CSR.15] Navigate to Process ManagementProcess DefinitionQuery.
[CSR.16] In the Process Definition Table click on User Registration
[CSR.17] On the Process Definition Tab, under Tasks double click on Awaiting
Approval Data.
[CSR.18] Click on Required for Completion.
[CSR.19] Click on Assignment tab.
[CSR.20] Click on Add
[CSR.21] Double Click on Rule column and select Default.
[CSR.22] Double Click on Target Type and select Group.
[CSR.23] Double Click on Group and select Managers.
[CSR.24] Click on the Save button.
[CSR.25] Exit Design Console.
Note: other options are possible for selecting who can authorise users who self-
register. This guide provides a straight forward and flexible option. The steps
above that give you other options are [CSR.22] and [CSR.23]. For example,
the options offered by the Design Console at these steps could be used to
configure the manager with the lightest loading as the approving manager. The
key thing for security is that an approval task is configured, not who exactly
performs the approval, or how it is configured.
The Administrator must ensure that either User Registration is OFF, or a
suitable User Registration approval task is configured as above or similar.
Without the latter, should User Registration be switched ON, users will be able
to obtain user accounts on OIM without authorisation .
When Managers approve the a user self-registration, they will need to ensure that the
mandatory field for Organization Name is filled in for the user that they authorise.
Without this the approval will fail with a “missing fields” error. The following steps show
how to complete this:
[CSR.26] Click on Pending Approvals.
[CSR.27] Click on the Request ID to approve, e.g 43.
[CSR.28] Click on Provide User Information.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 111 of 113
[CSR.29] Enter the required Organization Name.
[CSR.30] Enter any other information that you wish to specify at this time – e.g.
Manager ID, Start date, provisioning date.
[CSR.31] Click Update. This will authorise the self-registration.
K.6 Configuration for IT Resources
The documents in this section should be used for configuring IT resources. In
particular, used for specifying associated security attributes securely and
correctly.
Each IT Resource configured in OIM will have an associated Connector Guide.
While the generic instructions for creating and managing such IT Resources
can be found in [AUCG, 12.7] and [AUCG, 12.8] respectively, to specify the
settings for connection to the IT resource, additional information will be
required from the associated Connector Guide (e.g. Oracle Database, Oracle
Internet Directory or similar). This information specifies how to configure a
connection to the IT resource such that it can be used by OIM to set up users
and provide access to that resource for them.
[DBCG, 2.6] and [OCG, 2.4.2] explain the details required to complete this
(i.e. step 5 of [AUCG,12.7]) for Oracle Database and Internet Directory IT
resources respectively. For other IT resources, see the associated Connector
Guide under creating and managing resources.
For step by step instructions that can be used as examples for Oracle Database,
and Oracle Internet Directory see steps [CON.14] to [CON.20] and [CON.36] to [CON.42] in sections I.1 and I.2 of this guide. The settings will need to be
adjusted for your particular IT resource and desired configuration.
K.7 Configuration for User Provisioning Requests
By default, users created in OIM are part of the ALL USERS group and any
member of this group can request access to resources. On such a request being
submitted, OIM initiates an approval workflow via the manager specified for
them during user creation (see [AUCG, 8.1 and Table 8.1]. Only when
approval has been granted, will the user be provisioned to the resource.
The menu item for requesting access to resources can be removed either from
the ALL USERS group (and given to an alternative user group for whom it is
intended), or denied to a specific user group. The denial will override the
permission in the ALL USERS group. Either method will disable the group
from requesting access to resources. Menu items for groups are configured
using the instructions in [AUCG, 10.2.3.2]. For more on configuring groups
generally and the concept of user group management, see [AUCG, 10].
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0
14 December 2011
Page 112 of 113
K.8 Directly Provisioning users
The following steps can be used to provision a resource directly to a user as an
administrator without requiring an approval workflow:
[DPU.1] Log on to the Admin and User Console as xelsysadm, or an administrator
with SYSTEM ADMINISTRATOR group membership.
[DPU.2] Click UsersManage, search for user or click search users and
select user to directly provision.
[DPU.3] Under “You can view additional details about this user” select Resource
Profile.
[DPU.4] Select Provision New Resource Button.
[DPU.5] Select Resource to Provision and continue.
[DPU.6] Verify, by clicking continue.
[DPU.7] The screen will refresh and “provisioning has been initiated” will be displayed.
[DPU.8] Click Back to User Resource Profile.
[DPU.9] The screen will show the Resource with a status as Provisioned.
K.9 Granting the admin privilege to directly provision users
This can be achieved in two ways. Firstly, by granting SYSTEM
ADMINISTRATOR group privilege to a user. Secondly, by specifying the
granular privileges to a group for this type of task.
To grant SYSTEM ADMINISTRATOR group membership see [AUCG,
10.2.3.3].
For group privileges for direct provisioning specifically, allocate the
appropriate privileges as instructed via [AUCG, 10.2.3.3 and 10.2.3.6] and add
the required “manage users menu item” to the group using [AUCG, 10.2.3.2].
You can create the group using the existing OIM administrative group for users
and resource objects in [AUCG, 10.2.3.6]; this section also gives you the detail
required to set up a group with custom privileges for direct provisioning only.
Evaluation of Oracle Identity Manager OIM (9.1.0.2) Evaluated Configuration/Issue 1.0 14 December 2011
Page 113 of 113
Annex L References
[ADG] Oracle Identity Manager Audit Report Developer’s Guide, Release 9.1.0.1,
E14045-03, June 2010.
[AUCG] Oracle Identity Manager Admin and User Console Guide, Release 9.1.0.2,
E14765-02, August 2009.
[CC] Common Criteria for Information Technology Security Evaluation
(Comprising Parts 1-3: [CC1], [CC2], and [CC3]).
[CC1] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and General Model
CCMB-2005-08-001, Version 2.3, August 2005
[CC2] Common Criteria for Information Technology Security Evaluation Part 2:
Security Functional Requirements
CCMB-2005-08-002, Version 2.3, August 2005
[CC3] Common Criteria for Information Technology Security Evaluation Part 3:
Security Assurance Requirements
CCMB-2005-08-003, Version 2.3, August 2005
[CEM] Common Methodology for Information Technology Security Evaluation Part 2:
Evaluation Methodology
CCMB-2005-08-004, Version 2.3, August 2005
[DBCG] Oracle Identity Manager, Connector Guide for Database User Management,
Release 9.0.4, E10425, July 2009
[ECGDB] Evaluated Configuration for Oracle Database 10g Release 2 (10.2.0), Issue
0.6, November 2007, Oracle Corporation.
[ECGOID] Evaluated Configuration for Oracle Internet Directory 10g (10.1.4.0.1), Issue
0.3, March 2008, Oracle Corporation
[ECGOEL4] CC EAL4+ Evaluated Configuration Guide for Oracle Enterprise Linux 4 U4
and U5, Version 1.3, 23rd
August 2007, Oracle Corporation.
[OCG] Oracle Identity Manager, Connector Guide for Oracle Internet Directory,
Release 9.0.4, E10436-04, December 2008
[ST] Security Target for Oracle Identity Manager 10g (9.1.0.2), Issue 0.9