Tuesday, November 24, 2009

Oracle Access Manager (OAM) and Directory Migration

At times it is necessary to reconfigure one or more of Oracle Access Manager’s directory configuration.

This post describes the recommended process and step-by-step configuration changes to Oracle Access Manager (OAM) required to make OAM utilize a different directory or directory configuration for user, configuration and policy storage.

This post does not address the migration of data between directories themselves. Rather, it focuses on the configuration changes required in OAM.

Also be aware that schema and tree changes can require additional considerations such as requiring changes to attribute access control policies and attribute mapping.

Overview

I recommend that during the process of modifying OAM directory configuration, users turn on directory logging/debugging sufficient enough to monitor all LDAP requests made from OAM to the directory.

If directory changes are being made to the user store and OAM policy/configuration stores then I recommend that OAM users first re-configure the user store by modifying the directory server profiles. I recommend that this change is tested and verified before moving on to modifying the policy/configuration store.

The process for modifying directory configuration in OAM mostly follows what is outlined in the OAM documentation on the subject. However, I would like to make the following clarifications:

1) Directory profile changes themselves are activated following a restart of the OAM services. Changes to directory configuration for policy and configuration storage require re-configuration of the appropriate components (Identity Server, Policy Server, and Access server).

2) In the re-configuration of the Access Server, customers should execute the start_configureAAAServer command with the ‘install’ option rather than the ‘reconfig’ option recommended in the doc. The reconfig option does not give you the opportunity to reconfigure directory configurations. The appropriate command on UNIX is as follows:
start_configureAAAServer install

Directory Profile Changes To Reflect User Store Changes

Directory profile changes can be made from either the Identity or Access System consoles. Directory profiles appear to be shared across OAM components and so only need to be changed in one place.

From the Identity System Console:
1. From the Identity System Console, click System Configuration.
2. On the System Configuration page, click Directory Profiles. The Configure Profiles page appears. The middle section of the page, under the heading Configure LDAP Directory Server Profiles, contains a list of configured directory server profiles.
3. Click the link for the directory server profile that you want to view. The Modify Directory Server Profile page appears.

From the Access System Console:
1. From the Access System Console, click System Configuration, then click Server settings. The View Server Settings page appears. This page displays the directory settings for configuration and policy storage, a link to modify those settings, and a listing of directory profiles with links to modify the profiles as well.
2. Click the link for the directory server profile that you want to view. The Modify Directory Server Profile page appears.

From the Modify Directory Server Profile page, simply make the modifications you desire and then restart all OAM services.

At this point I recommend that you do a test login to verify that the change worked and that users can now be successfully authenticated out of the modified Directory Profile (associated with a new or modified directory).

Modifying Policy and Configuration Data Directory Configuration
1. First modify the Directory Server Configuration in the Identity System Console.
a. From the Identity System Console, click System Configuration. On the System Configuration page, click Directory Profiles. The Configure Profiles page appears.
b. The top portion of Configure Profiles page shows details for the directory server that contains user data and configuration data. Click the Directory Server link to bring up the modification page.
c. Modify the page as you intend. Note that if you change the security, server, or port setting that you will have to rerun the Identity Server setup (see below).

2. Modify the Directory Server Configuration in the Access System Console.
a. From the Access System Console, click System Configuration, then click Server settings. The View Server Settings page appears.
b. Click the Directory Server link to bring up the modification page.
c. Note here that the page is divided into two sections. One section to configure the store for ‘configuration data’ and one section to configure the store for ‘policy data’. Many OAM users will make these the same but they can be different.
d. Modify the page as you intend. After making changes you will have to rerun the setup processes for the Policy and Access Servers (see below).

Rerun Setup for All Components
Rerun the setup of the Identity System, Policy Manager, and Access Server, in order, carefully following the instructions in the documentation (with one exception listed below):

http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12489/idconfig.htm#BABIGBIG

After completing each component, I recommend that you restart that component and verify that on startup it is successfully pulling the appropriate data from the modified source.
As mentioned above, you need to execute the start_configureAAAServer command with the ‘install’ option rather than the ‘reconfig’ option recommended in the doc. The reconfig option does not give you the opportunity to reconfigure directory configurations. The appropriate command on UNIX is as follows:

start_configureAAAServer install

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.