OUD Interview Questions & Answers

OUD Interview Questions & Answers

Q: What are the architectural differences between Oracle Unified Directory and Oracle Internet Directory?

Oracle Internet Directory stores identity and policy store data in back end database. You have to configure ODS schema for OID to use it. Oracle Unified Directory on the other hand stores the data in its own database known as Berkeley Database which is a Java based database. OID provides monolithic scalability and supports Exadata for large deployments while OUD provides horizontal scalability that allows you to add multiple
instances with options of data partitioning.

Q: Can you integrate Oracle Unified Directory with third party directories such as Active Directory?
Yes. Oracle Unified Directory can be integrated with third party directories using Directory Integration Protocol (DIP).

Q: Can you configure replication between Oracle Unified Directory and Oracle Internet Directory?
No. As of release 11.1.2.3.0, replication can be configured between two or more Oracle Unified Directory instances only. No other LDAP provider can be used in conjunction with OUD for the purpose of replication.

Q: Along with the directory server capabilities, what are the other functions that Oracle Unified Directory can perform?

Oracle Unified Directory is a next generation LDAP v3 compliant all-in-one solution for all directory requirements such as storage, proxy, virtualisation and synchronisation.

Q: Is it possible to configure LDAP Sync in OIM to synchronize users and groups in Oracle Unified Directory?

Yes. You can configure LDAP Sync operation between Oracle Identity Manager and Oracle Unified Directory to synchronise users and roles to and for.

Q: What are the things to be considered when migrating data from Oracle Internet Directory to Oracle Unified Directory?

If Oracle Internet Directory is used as an enterprise directory store, the user and group information can be exported and imported in to Oracle Unified Directory using simple ldif export and import. The data from OID instances that hold application data such as EBS and Ossocan not be migrated to OUD.

Q: Can OUD be used to store application policy data that can be used by Oracle Entitlements Server?

Yes. Oracle Unified Directory can be used as an identity store as well as policy store.

Q: What is the web based LDAP Browser supported by Oracle?

Oracle Unified Directory comes with optional Oracle Directory Services Manager. ODSM is the Oracle recommended LDAP explorer to browse through the contents of Oracle Unified Directory. Along with user and group management, it provides the capabilities to modify schema, root users, logging, password policy management etc.

Q: Can you use the same Oracle Directory Services Manager (ODSM) instance to manage Oracle Internet Directory and Oracle Unified Directory?

No. Oracle provides separate Oracle Directory Services Managers to manage Oracle Unified Directory and Oracle Internet Directory.

Q: Explain how does Oracle Unified Directory support horizontal scalability?

For large deployments, Oracle Unified Directory allows you to add multiple instances with option for data distribution. With its unique proxy, synchronisation and virtualisation capabilities, Oracle Unified Directory provides various deployment options that you select to achieve the best suitable architecture for your deployment.

Q: What are the various ways in which you can monitor Oracle Unified Directory?

Oracle Unified Directory comes with an optional component Oracle Directory Services Manager with which you can monitor basic performance attributes such as operations completed per second, latency etc. It can also be monitored with Oracle Enterprise Manager Cloud Control with Oracle Unified Directory Agent. The latter option provides you the detailed monitoring.

Q: Where does Oracle Unified Directory store all the data?

Oracle Unified Directory uses Berkeley database Java Edition in its backend which provides one global Java based approach to OUD. (It allows you to manage more data on disk and in memory for a given hardware configuration. It improves OUD performance by its indexes, caching and file system.)

Q: Oracle WebLogic Server does not provide a straight-forward authentication provider to configure Oracle Unified Directory as an identity store. Which authentication provider can you use instead?

To configure Oracle Unified Directory as an identity store in WebLogic server, we can use IPlanetAuthenticator from the drop down list of authentication providers.

Q: By default, Oracle Unified Directory is configured to use at least two ports. What are these default port numbers and why do you need them?

By default, Oracle Unified Directory is configured to allow access via ports 4444 and 1389. Port 4444 is used by Administration connector while 1389 is used by LDAP Connection handler. Oracle Unified Directory provides two different ports to clearly distinguish the administration traffic from the rest of the traffic.

Q: What is a root user in Oracle Unified Directory? What is the default root user? Can you create your own root users?

Root users are special users that have the ability to bypass access controls and other restrictions. This concept is very similar to root users in unix. Root users are for administrative and management tasks. Oracle Unified Directory comes with a default root user which is cn=Directory manager. You can create multiple root users as per your needs.

Q: What are virtual attributes in Oracle Unified Directory? Give an example of a virtual attribute.

Virtual attributes do not persist any values in the database. Instead the values are generated dynamically at run time. Virtual attribute provider contains the logic used to evaluate the value at run time. Following virtual attributes are supported by OracleUnified Directory:
 entryDN
 entryUUID
 hasSubordinates
 isMemberOf
 member
 numSubordinates
 subschemaSubentry
 User-defined

Q: How can you identify if Oracle Unified Directory server instance is not performing up to the required standards?

Oracle Unified Directory logs every access request in access logs with corresponding etime values. Etime values indicate elapsed time in milliseconds to process a request. Higher etime values show that the server takes longer time to process incoming requests.

Q: Can you restrict a directory user to view only a set of attributes and not all?

Yes. It is possible to restrict users to retrieve only a few attributes using the feature called Access Control Lists.

Q : Does Oracle Unified Directory support Operational Attributes? If yes, how can you retrieve them?

Yes. Oracle Unified Directory supports Operational attributes. According to LDAP standards, we can retrieve all of them corresponding to an entry by appending “+” at the end of the ldapsearch request.

Q: Can we detect conflicts in the Oracle unified directory? If yes, then How?

Yes, we can detect conflicts in Oracle unified directory. In order to detect conflicts we need to run the following command:-
ldapsearch -h host -p <port no> -D "cn=directory manager" --useSSL --trustAll -b "dc=example,dc=com" -w<password for Directory Manager> ds-sync-conflict=* dssync- conflict

Q : How to check the replication status between different Oracle unified Directory servers?

To check the replication status we run the following command dsreplication status {The command needs some manual inputs like admin UUID password hostname etc.}
The output will return below mentioned attributes-
Server: Lists the LDAP servers in the topology and the port on which they are listening for LDAP connections.
Entries: Indicates the number of entries on each server for the specified base DN. If the information in this column is different across all the servers, the replication topology is not synchronized.
M.C: Indicates the number of updates already pushed by the other LDAP servers in the topology, but not yet replayed on the specified LDAP server. If this number is high on a particular server, investigate the latency of that server.
A.O.M.C: Specifies the approximate date of the oldest update pushed by the other directory servers in the topology, but not yet processed on the specified LDAP server.
Port: Indicates the port of the replication server (if any) that is configured in the instance.
Usually the LDAP servers in the instance are connected to it.
Status: The status will return one of the value (Normal, Late, Full Update, Bad Data Set, Not Connected, Unknown, Invalid)

Oracle IDM Questions & Answers

Oracle IDM Questions & Answers

Q: What is an Identity?

An identity is the virtual representation of an enterprise resource user including employees, customers, partners and vendors. Identity Management shows the rights and relationships the user has when interacting with a company’s network.

Q: What are the benefits of Identity Management?

Centralized auditing and reporting – Know who did what and report on system usage.
Reduce IT operating costs – Immediate return on investment is realized by eliminating the use of paper forms, phone calls and wait time for new account generation and enabling user self service and password management.
Minimize Security Risk – Control access to the network and instantaneously update accounts in a complex enterprise environment including: layoffs, acquisitions, partner changes, temporary and contract workers.
Improved quality of IT services
Legal compliance – Many government mandates require secure control of access.

Q: How does Identity Management (IDM) work?

The process involves creating user accounts that are able to be modified, disabled or deleted. Delegated workflows, rules and policies are applied to the users account. A user profile will tell the company: who they are, what they are entitled to do, when they are allowed to perform specific functions, where they are allowed to perform functions from and why they have been granted permissions.

Q4: How are Identity Management Solutions Implemented?

Step 1: Inventory and assess current investments and processes. Clean and consolidate identity data stores. Create virtual identities for enterprise users.
Step 2: Design and deploy identity infrastructure components. Create identity provisioning and deploy password management, user self-service, and regulatory compliance.
Step 3: Deliver applications and services. Access management deployed to a clean environment. Leverage federated identity for improving supply chain and employee efficiencies.

Q: Explain the Architecture of Oracle identity Manager?

The Oracle Identity Manager architecture consists of three tiers
Tier 1: Client: The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user's login credentials.
Tier 2: Application Server: The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.
Tier 3: Database: The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.

Q: What is purpose of Reconciliation Manager?

You can look here for recon data once reconciliation is complete. You can determine whether event received and linked for not.

Q: What is Application Server and Web server?

A Web server exclusively handles HTTP requests, whereas an application server serves business logic to application programs through any number of protocols. Webserver mainly handles the Http requests but app server can be used to handle the http, rmi, TCP/IP and many more protocols. Webserver just handles the requests of the webpage – means suppose, a html page(presentation layer) requests a data - here script is written containing the business logic , then it just give the response with the required data from the database. Then the html page with script is used to show the retrieved information. In case of application server, it does the same thing, of getting and gives the response but it can process the requests. i.e. in this case, instead of script know how to fetch the data, the script is simply used to call the applications server's lookup service to retrieve and process the data. i.e here, application server is used for processing/applying logic. The web server can be considered as the subset of app server
The basic difference between a web server and an application server is
WebServer can execute only web applications i.e. servlets and JSPs and has only a single container known as Web container which is used to interpret/execute web applications
Application server can execute Enterprise application, i,e (servlets, jsps, and EJBs) it is having two containers
1. WebContainer (for interpreting/executing servlets and jsps)
2. EJB container (for executing EJBs). It can perform operations like load balancing, transaction demarcation etc.

Q: What is the purpose of rule designer?

Use this form to create rules that can be applied to password policy selection, automatic group membership, provisioning process selection, task assignment, and prepopulating adapters.

Q: What is Adapter? What Adapters available in OIM?

An adapter is a Java class that is created by an Oracle Identity Manager user through the Adapter Factory.
Process Tasks adapters - automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)
Entity Adapter - automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post- update, or post-delete
Pre-Populate Adapter - specific type of rule generator attached to a user- created form field that can automatically generate data to the form but
does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
Rule Generator - can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
Task Assignment Adapter - automates the assignment of a process task to a user or group

Q: What is the difference between OIM 11g and 10g from the high level architecture perspective?

At high level below are the brief differences
a) 10g Request Management has been replaced by SOA composite which has a customized schema accommodating BPEL and Human Task.
b) Reconciliation engine has been re-written in 11g to enhance the performance by introducing the cache mechanism.
c) OES libraries are used as an authorization engine unlike 10g had its own object vs view based authorization.
d) Plugin services platform is introduced in 11g to have easy customization in place which can be somewhat mapped to entity adapter functionality in 10g.
e) Groups in 10g are now called as Roles in 11g with some modifications which makes it like ldap roles.
Some more differences related with notifications, schedulers and etc can be discussed if time permits.

Q: What are the steps to integrate Active Directory with Oracle Identity Manager?

1. Install Active directory connector by
a. Placing the extracted installable at
OIM_HOME/server/ConnectorDefaultDirectory b. Install Connector from sysadmin console
2. Install and Configure the Connector server in AD or in same domain a. Paste the extracted Connector Server installable in AD
b. Install Connector Server using the .msi file
c. Set handshake key using
$CONN_SERVER_HOME/ConnectorServer.exe /setkey d. Stop Connector server service
e. Paste the extracted Connector installable from Step1a to
$CONN_SERVER_HOME/
f. Update the Port in
$CONN_SERVER_HOME/ConnectorServer.exe.Config g. Enable logging if needed
h. Start the service
3. Configure the IT resource for AD connector
4. Configure the IT resource for AD connector server ,update key (2c)
and Port (2f)
5. Run the OU and Group lookup reconciliations
6. Create the Active directory application Instance using Sandbox
7. Run the Entitlement List(from Lookup tables to entitlement table)
and Catalog Sync Jobs
8. Test by provisioning user

Q: What are the possible ways to integrate Approval Workflow for various operations?

In OIM 11g R2 PS3,we can configure OIM to run with or without Approval WFs. This is set by a system property- “Workflows Enabled”. The default configuration being with Approval WFs.
Approval WF rules can be configured for a list of operations on core identity objects like Create User/Modify User/Disable or Enable User/Modify Role/Provision Account etc.
These admin/system defined rules will define which SOA Composite is to be invoked the predefined entity operations. The admin can configure rules with Workflow marked as “NO_WORKFLOW”, if the request is to be directly granted without approvals.
We can leverage a list of SOA composites that are already available with the fresh deployment.
Lifecycle of an operation level request (e.g. – Assign one Role for a single beneficiary)
1. Once the request is submitted/generated the request moves to
“Request Created” stage
2. When the approval workflow is invoked based on the WF rule ,the operation level request moves to “Request Waiting for Approval” stage
3. Approval completion will move the request status to “Request Approved” and Step-4 will follow, if request is rejected by the approver configured, then the request moves to “Request Rejected” state and request ends with no Step - 4
4. Then the requested operation is initiated
In the case of Bulk request that is request containing more than 1 entity, the request will first go for a request level approval (if configured) followed by individual operation level approval as described above.
Prior to this release, Approval policies were used for defining approval process for an operation. But this has now been deprecated.
If OIM has been upgraded from older versions that use Approval policies, it will continue to work.

Q: How Escalation and Reminders notification work in Oracle Identity Manager 11g ?

To enable identity governance functionality it is necessary to have approval process defined for various identity related operations. OIM leverages SOA features along with BPEL(Business Process Execution Language) for accomplishing the business process. Since manual (Approver/IT provisioner) intervention is required for the workflow completion, the business process must have the ability to assign task/request to users or groups, escalate, remind on timely basis, reassign etc. The BPEL process invokes a Human Task whenever a manual intervention is needed in the business process. The Human task contains the logic to escalate, notify, expire the approval task to users/groups. The Human task can send notifications to the configured assignee in the task.

Q: How will you add additional fields on Self Register Form (OIM 10g and OIM 11g) ?

Steps –
1. Login to admin console
2. Create and activate Sandboc
3. Browse to System Entities User
4. Add attribute
5. Export and Publish Sandbox
6. Logout
7. Login to identity console as admin
8. Create a Sandbox
9. Click on Self Service home
10. Click ‘Customize’ option
11. WebComposer is opened in customization page, choose
‘Structure’
12. Select structure close to My Access
13. Select the last gridRow and edit it and enable Show Component
14. List of all unauthenticated pages appear
15. Choose the screen to which we need to add this additional attribute
16. Open Data component – User Registration ->UserVO1
17. Search for the new attribute and add it in the form you wish to display
18. Export and Publish Sandbox

Q: How Approval Policies are different from Access Policies ?

Approval Policies are defined for ensuring the business process for identity governance is in place. Approval policy is a configurable entity of the request management, it maps the request type with a corresponding approval process/workflows. The approval policy can be defined at request level or operational level. Please note that this is been replaced by Approval Workflows in OIM 11g R2 PS3. Access Policies are rules that are assigned to roles, that determine which target system should the user be provisioned/de-provisioned to. It is an effective way to automate provisioning process.

Q: What is the significance of "Create Reconciliation Profile" Button in Oracle Identity Manager 11g ?

Clicking the “Create Reconciliation Profile” will result in copying the
Resource Object (modifications) to MDS

Q: What are Object Reconciliation Rule ?

Recon rules are configurable linking rules that can be defined in OIM for each target system. These are invoked during trusted recon as well as target based recon. Based on the link match, changes fetched from recon event are brought into OIM
Invoked when OIM tries to determine which user/org record is associated with an update during trusted/target recon. These rules are specific to the RO.

Q: Explain the Architecture of OIM ?

OIM is a J2EE web app deployed on Oracle WebLogic Server.Has 4 Tiers
User Interface Tier – 3 consoles (2 browser baser and 1 java thick client for development)
Application Tier – Consists of Identity Self Service and Admin web applications, SPML XSD and REST WS and Java classes that provide the core functionality like identity administration, authorization, provisioning and reconciliation etc
Database Tier -Repository to store identity, requests and other meta data
like access policies’
Connector Tier – Consists of applications and target systems to which you provision/de-provision user accounts, it also includes connector server etc.

Q: How will be remove Validation for duplicate email address ?

System Property – OIM.EmailUniqueCheck is available in OIM 11g
R2 which if set to FALSE , then uniqueness check is not done

Q: Difference between OIM 11g R1 and OIM 11g R2 ?

OIM 11g R2 PS3 has the below features that were not present in R1
1. New Look and feel for Identity console
2. Access Request catalog
3. Approval policies replaced by Approval workflow policies
4. Service capabilities
5. Admin roles for authorization control along with fine grained authz
6. Chained entity LCM introduced
7. Sunrise and Sunset scenarios for provisioned entities
8. Access Policy harvesting introduced
9. Home Organization Policy introduced
10. Lightweight auditing introduced
11. Enhanced self service password capabilities
12. System Property introduced to Enabled/Disable WF
13. Self
14. REST APIs replaces the old SPML interfaces

Q: Difference between OIM 10g and OIM 11g R2 ?

1. SOA replaced the 10g request management
2. Notification providers added like SOA UMS notification
3. ICF based connectors incorporated that helps in easier/flexible development for custom and decoupling for predefined OOTB connectors
4. Plugin services platform is introduced in 11g to have easy customization in place which can be somewhat mapped to entity adapter functionality in 10g.
5. Including the differences b/w 11gR1 & R2 mentioned in earlier question

Q: What is Request Catalog?

It provides a simple, easy to use, web based user interface that allows non-technical business/enterprise users to request access to entities like application instance, entitlements or account permissions, roles. These entities will be configured to be visible (based on business needs) by Catalog administrators (similar to sys admin and sys configurator role).The catalog approach of requesting entities is very similar to the “Shopping cart” experience that all users are well familiar with and hence extremely friendly even for a non technical end user.

Q: What is Request Profile?
Admin can create profiles using the access request catalog, this will enable to group or cluster all relevant entities that are required for a specific (commonly used) task. The end user can directly request for this grouped entities using the request profile and this will save time and avoid confusions.
The submitted request will then go in for a request level approval followed by individual child/operation approvals.

Q: Difference between Application Instance and Resource Object?

Application Instance is a provision-able entity and a new abstraction used in 11g Release 2 (11.1.2.3.0). It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism).App Instance will be published or made visible to organizations. They can be requested from the request catalog. Resource object is the virtual representation of the Target system containing all the attributes it holds for an account.

Q: What are Admin Roles?

The security model in OIM works on the basis of the admin role assignment to users. The authorization engine in OIM allows granular delegated administration by allowing administrators to define admin roles and associate them with specific functional capabilities. The custom admin roles can be configured to have definite attribute level permissions and control attribute level visibility. The admin roles are firsts class entity and is not same as enterprise roles.

Q: What are Archival utilities?

The application capabilities in OIM generate huge amount of data and they are managed by either purging or/and archival solutions provided by the product. The utility controls the growth of audit data by purging the data in a logical and consistent manner. Archival solutions are provided by OIM for its entities like Reconciliation, Provisioning tasks, Request, Orchestration, Lightweight audit, Legacy audit.

Q: How do you hide Admin Links for End users from Identity console?

Authorizations in OIM is controlled by Admin roles. Only when end Users are added to the admin roles for which privileges for administration are defined, will the end user get any Admin links.

Basics of IDAM

Basics of IDAM

Oracle Identity and Access Management (IDAM) components are Java applications deployed on WebLogic Server with database as repository. Consider the following components when starting and stopping an Oracle Identity and Access management server:

-One and only one Admin server
-One or more SOA Suite Managed servers
-One or more OIM Managed servers
-One or more OAM Managed servers
-Database server used as repository for Oracle Identity and Access Management
-Node Manager per machine (optional component)
-External LDAP server as User store (optional component)

Note
Oracle Access Manager's default identity store is an embedded LDAP server (shipped as part of WebLogic server). It is recommended to configure Oracle Access Manager's Identity Store to external LDAP server, such as Oracle Internet directory or Microsoft Active directory.

Top-level directories and HOMES used in Identity and Access Management:

Middleware Home: MW_HOME
WebLogic Home: WL_HOME
Coherence Home: COHERENCE_HOME
Oracle Home for IDAM: IDAM ORACLE_HOME
Oracle Home for common: COMMON ORACLE_HOME
Oracle Home for SOA: SOA ORACLE_HOME
Domain Home: DOMAIN_HOME

why SOA is required in IDAM?
SOA Suite is required only if you are using Oracle Identity Manager. OIM uses Service Oriented Architecture (SOA) to process workflows related to approvals of various OIM requests


Why does EBS require OID with OAM?
Oracle Access Manager itself doesn't require Oracle Internet Directory.  However, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with the E-Business Suite.
Why?  The short answer is that the E-Business Suite has hardcoded dependencies on Oracle Internet Directory for this configuration. These dependencies mean that you cannot replace Oracle Internet Directory with any third-party LDAP directory for this particular configuration.


Weblogic

WebLogic Server is a J2EE application server on which both Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) are deployed.

-WebLogic Server Domain: WebLogic server domain is logical grouping of resources and services. It contains Admin Server, Managed server, JDBC data Sources, Java Messaging Server, and coherence.

-WebLogic Administration (Admin) Server: Administration server is a WebLogic server that maintains configuration data for a domain. There is always one and only one administration server in a Weblogic domain.

-WebLogic Managed Server: Any WebLogic server other than the Admin server is called a Managed server. When you configure both OAM and OIM in same domain, domain creation creates three Managed servers one for OAM (oam_server1); the second for OIM (oim_server1); and the third for SOA (soa_server1).

Note:

These are default names used by the doamin configuration.

-7001 is WebLogic's default Admin server port which the installer will assign during domain configuration. If 7001 is in use by another process during domain configuration then the installer will use the next available port, that is 7002.

-If you are not sure about the port used by Weblogic server's (Admin and Managed servers) (OAM, OIM and SOA), you can verify it from the configuration file $DOMAIN_HOME/config/config.xml.

-It is recommended that you create the file boot.properties under $DOMAIN_HOME/servers/<server_name>/security/ so that you don't have to provide username and password manually. This file should contain two lines:

USERNAME=<weblogic_user_name>
PASSWORD=<weblogic_user_password>

-WebLogic server will automatically encrypt the boot.properties file during next start-up.

-WebLogic configuration is stored in the XML file $DOMAIN_HOME/config/config.xml and contains information such as Admin/Managed server hostname, port, and name of managed server. Check this file to find the information required to start/stop IDAM components.

-Boot identity file (boot.properties) is a text file that contains user credentials for starting and stopping an instance of WebLogic server. For more information on Boot Identity File: http://download.oracle.com/docs/cd/E12839_01/web.1111/e13708/overview.htm#START128.

-Each WebLogic server instance runs in its own JVM. If you are unable to shut down a server instance using the methods described in the previous sections, you can use an operating system command to kill the JVM.

Note:
Killing a java process will do a forceful shutdown of WebLogic server instance.

-There is no script to stop the node manager. If you want to stop the node manager use kill -9 <PID>

- Start/Stop Overview
- OAM/OIM Start
- OAM/OIM Stop
- Start/StopLogs

OIM/OAM: Start

-Start OID/OIM/OAM Database & Listener
lsnrctl start
sqlplus “/as sysdba”
startup;

-Start OID(System) Component
:*Only if Integrated with OIM/OAM
opmnctl startall

-Start Java Component

==>Start Admin Server:
$DOMAIN_HOME/bin/startWebLogic.sh
==>Start OAM Managed Server:
$DOMAIN_HOME/bin/startManagedWebLogic.sh oam_server1
==>Start SOA Managed Server:
$DOMAIN_HOME/bin/startManagedWebLogic.sh soa_server1
==>Start OIM Managed Server:
$DOMAIN_HOME/bin/startManagedWebLogic.sh oim_server1


OIM/OAM: Stop

Stop Java Component

==>Stop SOA Managed Server:
$DOMAIN_HOME/bin/stopManagedWebLogic.sh soa_server1
==>Stop OIM Managed Server:
$DOMAIN_HOME/bin/stopManagedWebLogic.sh oim_server1
==>Stop OAM Managed Server:
$DOMAIN_HOME/bin/stopManagedWebLogic.sh oam_server1
==>Stop Admin Server:
$DOMAIN_HOME/bin/stopWebLogic.sh

Stop System Component:*Only if Integrated with OIM/OAM
opmnctl stopall

Stop OIM/OAM Database & Listener

sqlplus “/as sysdba”
shutdown immediate;
lsnrctl stop


OIM/OAM: Start/Stop Logs

Admin Server
$DOMAIN_HOME/servers/<server_name>/logs/
OIM/OAM/SOA Server
$DOMAIN_HOME/servers/<server_name>/logs/
OID:OPMN
$ORACLE_INSTANCE/diagnosVcs/logs/OPMN/opmn/
OID:LDAP
$ORACLE_INSTANCE/diagnosVcs/logs/OID/[oid1]/
OID:ODSM/DIP
$DOMAIN_HOME/servers/<server_name>/logs/

Installation:

-Oracle Linux 5.7 Virtual Machine
-Java Development Kit 1.7
-Oracle Database 11.2.0.4
-Oracle Weblogic Server 10.3.6
-Oracle SOA Suite 11.1.1.9
-Oracle Identity & Access Management 11.1.2.3
-Repository Creation Utility 11.1.1.9
-Oracle Unified Directory (This is optional and required only if you want to integrate OAM & OIM with LDAP. You can use any LDAP of your choice)

Reposity Creation Utility (11.1.1.9):
Note: 11.1.1.9 RCU is used to create schema in 11.1.2.3 IDAM) by running
pre-requisite:
-Database and listener should be up and running while configuring RCU.
-We need to set two parameters:
alter system set open_cursors=800 scope=spfile;
alter system set processes=800 scope=spfile;

During the installtion RCU will ask database connection details like:
-Database type
-Hostname
-Port number
-Service name/SID
-Username
-Password

which components you have selecte while installing RCU?
After creating a new prefix (bydefault DEV), we have to choose below components.
-Oracle Identity Manager
-Oracle Access Manager
-Oracle Mobile Security Manager
Below schema will be selected automatically
-Metadata Services
-Audit Services
-Oracle Platform Security Services
-Business Intelligence Platform
-SOA Infrastructure
-User Messaging Service

Note:
The default and temporary tablespaces are created for all the compoenents.

OIM - Frequently used schedulers

OIM - Frequently used schedulers

To trigger user policy :
Evaluate User Policy

To refresh catalog table : 
Catalog sync job

To delete AI permanently :
Application instance Post Delete Processing job

To sync entitlements :  
Entitlement List

Important Port Numbers In IDAM

Important Port Numbers In IDAM

Weblogic admin server 7001
Obiee server                  9704
Oam_server                   14100
Oam_policy_mgr 14150
Oim_server                   14000
Omsm_server                14180
Soa_server                     8001

Testing URLs
------------------
WebLogic Admin Server
http://prodidm:7001/console

Fusion Middleware Control
http://prodidm:7001/em

Oracle Access Manager Console
http://prodidm:7001/oamconsole

Oracle Access Manager Server
http://prodidm:141000/oam

OIM Server
http://prodidm:14000/oim
xelsysadm/*******

SOA Suite
http://prodidm:8001/soa-infra
weblogic/*******

OIM Sysconsole
http://HOSTNAME:PORT/sysadmin/
Example:
http://localhost:14000/sysadmin/
or
http://iam.myhostname.com:14000/sysadmin/
Username for system administrator is : xelsysadm

OIM user console
http://HOSTNAME:PORT/oim/
Example:
http://localhost:14000/oim/
or
http://iam.myhostname.com:14000/oim/

OAM console
http://WLS_HOSTNAME:PORT/oamconsole
Example:
http://localhost:7001/oamconsole
or
http://iam.myhostname.com:7001/oamconsole

WLS console
http://WLS_HOSTNAME:PORT/console
Example:
http://localhost:7001/console
or
http://iam.myhostname.com:7001/console

What is Oracle IDAM ?

What is Oracle IDAM ?

Identity management is a collection of processes that a company uses to manage the security life cycle of resources for its users, organizations and entities.

Importance:
A company needs an identity management solution to:
-Manage its users, organizations and resources.
-Regulate access rights to its resources.
-Provide security for its resources.
-Audit, monitor and log its resouces
-Pass correspondence between resources

Introduction To Oracle Access Manager (OAM), Oracle Identity Manager (OIM) And Oracle Internet Directory (OID)

Oracle Access Manager (OAM)

Oracle Access Manager is a J2EE application typically deployed on a dedicated managed server in a Weblogic (Application Server) clustered environment. An enterprise typically has many applications for different purposes. Each application typically has its own authentication and authorization functionality.

OAM provides a single point to control all resource grants in an enterprise where multiple applications exist on different platform.

OAM provides:

-Single Sign On (SSO)
-Authentication
-Authorization
-Real time session management
-Auditing
-Policy Administration
-Flaws in conventional security model.

Individual authentication/authorization for each independent application in the enterprise. .net, J2EE, SAP, WebCenter etc. All application have their own authentication and authorization mechanism.

-Effective Security
-Cost
-Inconsistence
-Security Complainces
-Ease for users (Single Sign On)
-Governance, Support and Management
-One of the web server will have OAM-Agent. Other web servers will be redirected to this OAM-Agent via a reverse proxy. Hence, we don't need OAM-Agent on each Web Server.

The request goes to the OAM agent which redirects the request to OAM which in turn challenges the user for user/pwd. Once user/pwd is provided the OAM goes to the LDAP (AD or OID) to authenticate the user. Once the user is authenticated the webgate opens the gate to the underlying corresponding web server.


Oracle Identity Manager (OIM)

An Oracle identity management (OIM) provides a mechanism for implementing the user management aspects of a corporate policy. It can also be a means to audit users and their access privileges. The OIM enables enterprises to manage the entire user life cycle across all enterprise resources both within and beyond a firewall.

OIM application is deployed on Weblogic Managed Server in domain and There is second managed server for SOA Infra on same domain. OIM utilizes this SOA to process User Provisioning for workflow based approval. In real world all User provisioning has approval chain.

OIM server is a J2EE application. User provisioning is done in OIM. The OIM integrates this with all the other applications.

OIM does life cycle management of an identity (generally a user, e.g employee).

Lets take an example of an employee joining an organizaiton. He/She needs access to various applications in the organization. The HR typically creates the employee in HRMS on the joining date. The manager raises various user ids creations for this new employee for email, timesheet app, crm, leave mgmt app etc. With OIM this provisionting can be done automatically or manually at single point.

OIM provides a unified access control for all the applications in the enterprize. Once the employee quits, the manager need only to log onto OIM and delete (soft/hard) the employee from various applications.

OIM integrates with other application using SOA suite with respective JCA adapters.


Oracle Internet Directory (OID)

This is a directory of objects. For e.g in case of employees in an organization, this directory will hold employees details like name, designation, enterprize roles, applicaiton specific roles, security credentials like password, password reminder questions etc. An online directory is a specialized database that stores and retrieves collections of information about objects. The information can represent any resources that require management

-This is typically a single source of truth for information about employees in an organization.

-Various applications access OID to authenticate and authorize users. Typically, OID is integrated with OAM.

-OID is Oracle's LDAP implementation. Active Directory or AD is similar implementation for the same solution from Microsoft.

-OID generally uses oracle database for storage of all the said information above.

-The information in the directory is available to different clients, such as single sign-on solutions, email clients, and database applications. Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP). Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage.