·
OAM has two User Identity Stores System Store and Default Store.
· Generally, Default store is used for
Authentication of protected Applications and System Store is used for
self-authentication of OAM into /oamconsole as well authentication of protected
applications.
· By Default, in OAM both Default and
System store is UserIdentityStore1 which is Embedded_LDAP of WebLogic.
· Here we want to change the system store to OUD which will be used for login to both
oamconsole as well for authenticating into applications.
Steps:
1. First configure OUD as a User Identity
store as shown below:
(host & port in
location; user and group search base as per the project)
· After configuring OUD as user identity
store it should look as below:
· Check the connection and make it default store;
check if it is working.
2. Then take a backup of oam-config.xml file and weblogic config.xml file before proceed further.
3. Then Go to weblogic àsecurity realms àmyrealmàproviders
· Create a new provider for OUD
Name:
OUDAuthenticator
Type:
IPlanetAuthenticator
Control flag: Sufficient
· Provide provider specific details (host, port, user base dn etc.) as
shown below.
·
Reorder the providers as shown below keeping OUDAuthenticator at 2nd position:
· Restart Admin and Managed servers.
4. Then create an oamadmin user for OAM in
OUD in the user_search_base specified earlier and also create a oamadmin group
in OUD in the group_search_base and keep that user which is needed to be used
as system store user.
· Here cn=OAMAdministrators and
uid=oamadmin is used as system store user for OAM.
5. Go to /oamconsole àModulesàLDAPàchange it to OUD from UserIdentityStore1 (Because OAM itself authenticated by LDAP Module(OAMAdminAuthentication
scheme points to LDAP Module which protects OAM); so need to change it to
our new system store)
6. Now in oamconsole àUserIdentityStores àchange the system
store to OUD and press apply.
· It will ask for add user & group àprovide both the user & group and validate àit should come as successful.
7. Now try to access /oamconsole in different
browser with oamadmin credentials instead of weblogic user and it should
authenticate successfully into oamconsole.
ISSUES:
Ø
If getting below
error in /oamconsole->UserIdentityStore page
MBean
operation access denied. MBean: com.oracle.igf:type=Xml,name=IDSConfig
Operation: listAllIdentityDirectoryService() Detail: Access Denied. Required
roles: Admin, Operator, Monitor, executing subject: principals=[oamadmin,
oamadmin_group, OAMSystemAdminGroup]
To resolve
this issue, complete the following steps:
1. Login to
WebLogic Console (/console) as weblogic user.
2. Navigate
to Security Realms -> myrealm
3. Click
the Roles and Policies tab.
4. Expand
Global Roles and then Roles.
5. Click
View Role Conditions on the line for Admin role.
6. Click
Add Conditions and add both of the following groups:
oamadmin_group
OAMSystemAdminGroup
7. Click
Save.
8. Restart
both AdminServer and OAM managed servers
Ø If getting 2 login pages while accessing
/oamconsole URL then:
·
Add the oamadmin user in weblogic users and
groups as an Administrator of OAM.
**** Thanks for visiting ****
