Monday, September 26, 2016

Configure Security Store for Oracle Identity and Access Management Domain to Database

After configuring the WebLogic Server Administration Domain for Oracle Identity and Access Management components and before starting the Oracle WebLogic Administration Server, you must run the configureSecurityStore.py script to configure the Database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).

The configureSecurityStore.py script is located in the $IAM_HOME/common/tools.

Use the -h option for help information about using the script. Note that not all arguments will apply to configuring the Database Security Store.

# . oam.env
export MW_HOME=/u03/oracle/mwoam
export WL_HOME=$MW_HOME/wlserver_10.3
export ORACLE_HOME=$MW_HOME/iam
export DOMAIN_HOME=$MW_HOME/user_projects/domains/IAMDomain
export JAVA_HOME=$MW_HOME/jrockit-jdk1.6.0_45-R28.2.7-4.1.0
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$JAVA_HOME/bin:$PATH:.

# cd $DOMAIN_HOME/bin
# pwd
/u01/orafmw/mwoam/user_projects/domains/IAMDomain/bin

# . setDomainEnv.sh
# cd $MW_HOME/oracle_common/common/bin
# pwd
/u01/orafmw/mwoam/oracle_common/common/bin
# ./wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -h
Each Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) domain must be configured to have a Database Security Store. Before you configure the Database Security Store for an Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) domain, you must identify the products to be configured in a single-domain scenario or in a multiple-domain scenario.

Following configureSecurityStore.py options are available for configuring the domain to use the Database Security Store:
•-m join
•-m validate - To validate whether the security store has been created or joined correctly
# $MW_HOME/oracle_common/common/bin/wlst.sh $IAM_HOME/common/tools/configureSecurityStore.py -d /u01/oracle/admin/domains/base_domain -m validate
•-m create
# ./wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d $DOMAIN_HOME -c IAM -p passwordhere -m create

# ./wlst.sh /u01/orafmw/mwoam/iam/common/tools/configureSecurityStore.py -d $DOMAIN_HOME -c IAM -p passwordhere -m create

You will see the below huge output when we run configureSecurityStore.py script with create option,

OUTPUT
CLASSPATH=/u01/orafmw/mwoam/oracle_common/modules/oracle.jdbc_11.1.1/ojdbc6dms.jar::/u01/orafmw/mwoam/iam/oam/server/policy/sts-
policies.jar:/u01/orafmw/mwoam/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/orafmw/mwoam/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/orafmw/mwoam/jrockit-jdk1.6.0_45-R28.2.7-4.1.0/lib/tools.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/weblogic.jar:/u01/orafmw/mwoam/modules/features/weblogic.server.modules_10.3.6.0.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/webservices.jar:/u01/orafmw/mwoam/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/orafmw/mwoam/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/u01/orafmw/mwoam/oracle_common/modules/oracle.jdbc_11.1.1/ojdbc6dms.jar::/u01/orafmw/mwoam/iam/oam/server/policy/sts-policies.jar:/u01/orafmw/mwoam/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/orafmw/mwoam/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/orafmw/mwoam/jrockit-jdk1.6.0_45-R28.2.7-4.1.0/lib/tools.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/weblogic.jar:/u01/orafmw/mwoam/modules/features/weblogic.server.modules_10.3.6.0.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/webservices.jar:/u01/orafmw/mwoam/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/orafmw/mwoam/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/u01/orafmw/mwoam/oracle_common/soa/modules/commons-cli-1.1.jar:/u01/orafmw/mwoam/oracle_common/soa/modules/oracle.soa.mgmt_11.1.1/soa-infra-mgmt.jar:/u01/orafmw/mwoam/iam/oam/agent/modules/oracle.oam.wlsagent_11.1.1/oam-wlsagent.jar:/u01/orafmw/mwoam/oracle_common/modules/oracle.jrf_11.1.1/jrf.jar:/u01/orafmw/mwoam/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/xqrl.jar:/u01/orafmw/mwoam/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/lib/adfscripting.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/lib/mdswlst.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/auditwlst.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/igfwlsthelp.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/jps-wlst.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/jrf-wlst.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/oamap_help.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/ossoiap_help.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/ossoiap.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/u01/orafmw/mwoam/oracle_common/common/wlst/resources/sslconfigwlst.jar:/u01/orafmw/mwoam/oracle_common/common/wls/resources/wsm-wlst.jar:/u01/orafmw/mwoam/oracle_common/soa/modules/commons-cli-1.1.jar:/u01/orafmw/mwoam/oracle_common/soa/modules/oracle.soa.mgmt_11.1.1/soa-infra-mgmt.jar:/u01/orafmw/mwoam/iam/oam/agent/modules/oracle.oam.wlsagent_11.1.1/oam-wlsagent.jar:/u01/orafmw/mwoam/oracle_common/modules/oracle.jrf_11.1.1/jrf.jar:/u01/orafmw/mwoam/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/orafmw/mwoam/wlserver_10.3/server/lib/xqrl.jar:/u01/orafmw/mwoam/utils/config/10.3/confi
g-launch.jar::/u01/orafmw/mwoam/wlserver_10.3/common/derby/lib/derbynet.jar:/u01/orafmw/mwoam/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/orafmw/mwoam/wlserver_10.3/common/derby/lib/derbytools.jar::


Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

Info: Data source is: opss-DBDS
Info: DB JDBC driver: oracle.jdbc.OracleDriver
Info: DB JDBC URL: jdbc:oracle:thin:@ed-olraclin1.samiora.blogspot.com:1521/idmdb.samiora.blogspot.com
Connected:oracle.jdbc.driver.T4CConnection@1e3d6cac
Disconnect:oracle.jdbc.driver.T4CConnection@1e3d6cac
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSetup - done
Apr 2, 2014 8:14:14 AM oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator schemaCompatibleHandler
INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
Apr 2, 2014 8:14:17 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData
INFO: Migration of Credential Store data in progress.....
Apr 2, 2014 8:14:17 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData
INFO: Migration of Credential Store data completed, Time taken for migration is 00:00:00
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  testJpsService - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
Apr 2, 2014 8:14:18 AM oracle.security.jps.internal.config.ldap.LdapKeyStoreServiceConfigurator schemaCompatibleHandler
INFO: Keystore schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  testJpsService - done
Apr 2, 2014 8:14:19 AM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
Apr 2, 2014 8:14:19 AM oracle.security.jps.internal.config.ldap.LdapPolicyStoreServiceConfigurator schemaCompatibleHandler
INFO: Policy schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  updateServiceConfiguration - done
Apr 2, 2014 8:14:19 AM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
WLS ManagedService is not up running. Fall back to use system properties for configuration.
Apr 2, 2014 8:14:24 AM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateData
INFO: Migration of Admin Role Members started
Apr 2, 2014 8:14:24 AM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateData
INFO: Migration of Admin Role Members completed in 00:00:00
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  testJpsService - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
Apr 2, 2014 8:14:25 AM oracle.security.jps.internal.config.ldap.LdapAuditServiceConfigurator schemaCompatibleHandler
INFO: Audit store schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
Apr 2, 2014 8:14:25 AM oracle.security.jps.internal.audit.AuditServiceImpl registerInternal
WARNING: Cannot register to audit service for component "JPS".
Apr 2, 2014 8:14:25 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData
INFO: Migration of Audit Store data in progress.....
Apr 2, 2014 8:15:14 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData
INFO: Migration of Audit Store data completed, Time taken for migration is 00:00:49
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  testJpsService - done
persist to output: /u01/orafmw/mwoam/user_projects/domains/IAMDomain/config/fmwconfig - done
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  updateServiceConfiguration - done
Apr 2, 2014 8:15:24 AM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  updateServiceConfiguration - done
persist to output: /u01/orafmw/mwoam/user_projects/domains/IAMDomain/config/fmwconfig - done
Apr 2, 2014 8:15:32 AM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
Apr 2, 2014 8:15:49 AM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
Using default context in /u01/orafmw/mwoam/user_projects/domains/IAMDomain/config/fmwconfig/jps-config-migration.xml file for credential store.
Credential store location : jdbc:oracle:thin:@ed-olraclin1.samiora.blogspot.com:1521/idmdb.samiora.blogspot.com
Credential with map Oracle-IAM-Security-Store-Diagnostics key Test-Cred stored successfully!
 

        Credential for map Oracle-IAM-Security-Store-Diagnostics and key Test-Cred is:
                GenericCredential
Info: diagnostic credential created in the credential store.
Info:  Create operation has completed successfully.


Now that the configuration of the Database Security Store which is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) is completed, now you can start the Weblogic Administration Server.

For any queries please email me on samiappsdba@gmail.com.