Why I am writing this article
I want to give a simple install flow which can be used by new users. If you are an experienced user I strongly encourage you to read the official documentation is much more extensive and provides more installation options. Stumped by instructions in this article? Video recordings of install and setup procedure can provide you more help.
Overview
Before we get started, let me clarify the difference between Installation and Configuration (as used by Oracle Entitlements Server docs). Installation is the part where product files are copied into the right location. Configuration is where you actually create a run-able instance of the product and optionally wire this product with other Oracle/non-Oracle products. Because Installation is a simple process, it seldom fails. If there are any problems you will likely see them during configuration procedure.
Oracle Entitlements Server follows install flow which is common for many Oracle products:
1) Schema Creation (RCU): Involves using RCU to create DB schemas necessary to install the product.
2) Installing required products: As mentioned earlier, this step essentially unzips product archives into correct locations
3) Configuration: This involves deploying Oracle Entitlements Server Admin UI application into a WebLogic domain.
4) Post configuration: Final configuration steps
The following instructions assume that you are using Linux, but they should also work on Windows. I am using Oracle DB for installation; you will need to slightly alter the procedure if you want to use Apache Derby DB.
Downloading Products
You will need to download these 4 items before you start:
1) Oracle WebLogic Server 11gR1 (10.3.5)
2) One of
a) RCU 11.1.1.5.0 – Linux
b) RCU 11.1.1.5.0 – Windows
3) Oracle Identity and Access Management (11.1.1.5.0) – OES Administration Server
4) Oracle Entitlements Server Client (11.1.1.5.0) – OES Security Module (SM)
Schema Creation (RCU)
As you work through the steps, remember to fill information into installation worksheet.
1) You need to get DB information from Database Administrator
2) Unzip RCU “ofm_rcu_linux_11.1.1.5.0_disk1_1of1.zip”
3) Cd to rcuHome/bin
4) Run “./rcu”
5) Click “next”
6) Select “Create” and click “next”
7) Fill-in JDBC parameters and click “next”. I am using Oracle DB XE here; remember that XE is not officially supported.
8) Ignore these two warnings
9) Click on “Identity Management”, it will show the full list of identity management products
10) Click on Oracle Entitlements Server. The tool will also select Metadata Services (this is a required dependency). Click Next
11) Fill in the DB account passwords, click “next” and then “next again
12) Ignore this pop-up and click OK
13) Click “Create” to create and initialize the schema
14) Click “Close” to complete the installation
Installing WebLogic
As you work through the steps, remember to fill information into installation worksheet.
You need WebLogic 10.3.5 to run Oracle Entitlements Server Admin UI. This section can be skipped if you have already installed the correct version of WebLogic.
I use WebLogic package installer because is easier compared to other install options. You might want to stick with package installer if you are not familiar with WebLogic.
1) Make sure that the installer has execute flag, run “chmod +x wls1035_linux32.bin”
2) To start the installation run “./wls1035_linux32.bin”
3) At the welcome screen, click “next”
4) Fill-in Middleware Home and click “next”
5) Skip the registration step by unselecting the checkbox and clicking next
6) In Install Type screen, click “next”
7) The product installation directories are reasonable default values, so just click “next”
8) At the Installation Summary screen, click “next”
9) Unselect “Run Quick Start” and click “done”
Installing Oracle Entitlements Server Administration Console
As you work through the steps, remember to fill information into installation worksheet. Oracle Entitlements Server Administration Console is packaged along with Oracle Identity and Access Management (IAM) suite.
1) Unzip IAM suite ofm_iam_generic_11.1.1.5.0_disk1_1of1.zip
2) Cd to Disk1 directory
3) To start installation run “./runInstaller -jreLoc java-home”. It is recommended that you used JDK that shipped with WebLogic.
4) If you see “Specify Inventory directory” pop-up, click “OK”. Then select “continue Installation with local inventory” and click “Ok”
5) You should see the Oracle Identity Management Installation screen, click “next”
6) Select “skip software updates”, click “next”
7) You can safely ignore these warning, click “next”
8) Ignore warning below, double check Oracle Home and Oracle Middleware Home and click “next”
10) Click “next”
11) Click “finish” to complete the installation
Configuring Oracle Entitlements Server Administration Console
As I mentioned earlier, Configuration is where you actually create a run-able instance of Oracle Entitlements Server Administration Console. When you work through the steps, remember to use installation worksheet.
1) Cd to Oracle-Home/Middleware/wlserver_10.3/common/bin
2) Run “./config.sh”
3) Select “Create a new WebLogic Domain” and click “next”
4) Select “Oracle Entitlements Server” (JRF will be automatically selected) and click “next”
5) Verify Domain Name, Domain Location and click next
6) Double check Name, Password and click next
7) Select Sun SDK and click Next
8) Using values filled in during schema creation (RCU), fill-in the required value and click next.
9) If you get DB error, verify that the DB information you provided earlier. Click “next”
10) Click “next”
11) Click “create”
Post Configuration Steps
These are the final steps you need to do for completing Oracle Entitlements Server Administration Console setup. When you work through the steps, remember to use installation worksheet.
1) Cd to Oracle-Home/Middleware/Oracle_IDM1/common/bin
2) Run “./wlst.sh ../../oes/modifygrants.py”
3) From a new command windows
a. Cd to OES Admin Console Domain home (e.g. Oracle-Home/Middleware/user_projects/domain/oes_admin)
b. Run “./startWeblogic.sh”
c. Wait until you see message “Server started in RUNNING mode”
4) Run “./wlst.sh”
5) From WLST shell prompt, run “connect(‘weblogic’, ‘password’, ‘t3://localhost:7001’);”
6) At the next WLST prompt, type “configureOESAdminServer(servertype=”DB_ORACLE”);”
7) To exit WLST, type “exit();”
8) Go to the window from which you started WebLogic:
a. Type “Ctrl-C” to stop the WebLogic server
b. Run “./startWeblogic.sh”
c. Wait until you see message “Server started in RUNNING mode”
9) Browse to web page http://localhost:7001/apm and login with the user-name & password that you filled in during “Configuring OES Administration Console” step 6.
This completes installation and setup of Oracle Entitlements Server Administration and it is ready for business.
Installing Oracle Entitlements Server Security Module
Security Module (SM) is also known as OES Client and OES Agent. When you work through the steps, remember to use installation worksheet.
1) Unzip file ofm_oesclient_generic_11.1.1.5.0_disk1_1of1.zip
2) Cd to Disk1
3) Run “./runInstaller -jreLoc jdk-home”
4) If you get “Specify Inventory Directory” pop up
a. Click “OK”
b. Select checkbox “Complete installation with local inventory”
c. Click “OK”
5) You should the installation screen, click “next”.
6) It is OK to ignore these warnings, click “next”
7) The tool selects a poor default value for “Oracle Home Directory”. This is actually “OES SM (Client) Home directory”, remember to fill in the appropriate value. Click “next” to continue
8) Click “Install”
9) Click “next”
10) Click “Finish”
Configuring SM will be covered in a future blog post “Hello OES World”, which will show how to start from scratch and get a sample app working. Remember to save information in your installation worksheet, you may need it in future for other configuration procedures.
Note: You can skip this note if OES Admin and SM are installed in the same Oracle-Home.
If you are using WebLogic SM in a configuration where SM and Admin are installed in different Oracle-Homes, then you need to perform these additional steps.
1) Open file Oracle-Home/Middleware/wlserver_10.3/server/lib/weblogic.policy , Oracle-Home is the the location where you installed OES SM
2) Append these lines to the bottom of the file and save the file
grant codeBase "file:${idm.opss.oracle.home}/modules/oracle.jps_${jrf.version}/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${idm.opss.oracle.home}/oes/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${oes.client.home}/-" {
permission java.security.AllPermission;
};
[…] a blog post for another day. Overview Before running Hello OES World, you should have completed installation and setup of OES. This procedure will involve lot of mouse clicks in the UI, so it might be easier to […]
Hi Subbu,
Could you explain how to point OES to use external identity store (for example Active Directory or SiteMinder) so I can reference that store’s users and groups when writing policies?
Hi,
OES is purely an authorization product and it avoids handling of authentication. For OES Admin UI, you need to setup an LDAP Authentication provider in WLS security realm. It should be the first authentication provider and flag should be set to sufficient.
Thanks,
Subbu Devulapalli
Hi Subbu ,
Can we change the port other than 7001 for OES Admin server. I alrady have admin server of OAM11g using the 7001 port. I mean to say that there is already startWeblogic.sh running for one domain on which OAM11g is deployed. Now in another domain I install oes11g. Now if i start the startWeblogic.sh from the oes11g domain it throws error unable to create socket. This is because the 7001 port is already in use. Please suggest a solution
Hi,
OES Admin UI reuses WLS console port number. So when you are creating the domain in the last step of “Configuring Oracle Entitlements Server Administration Console”, pick a different port for WLS server instance
Bye,
Subbu Devulapalli
is there way to find out what ,schema name created during rcu
Hi Khalid,
1) Log into WLS console (e.g. if your OES Admin UI url is http://apmdev:7101/apm then WLS console URL will be http://apmdev:7101/console)
2) Click on “Data Sources” under Services
3) You will see data sources. OES uses the data source starting with “apm” and “MDS”
Let me know if this helped
Bye,
Subbu Devulapalli
Hi,
I am setting up OES 11g on Windows 2003, after successfully completing the installation i am not able to find “oes/modifygrants.py” file for configuring permissions?
Where is this file location? Do we need to perform this step during OES setup on windows?
Hi Yogesh,
You should find it at Oracle-Home/Middleware/Oracle_IDM1/oes/modifygrants.py
Bye,
Subbu Devulapalli
Hi Sabbu,
nice blog!
Question: For a Centralized OES Architecture; whereby SM [PDP,PEP] is deployed as DOMAIN in WLS are both products required below (1) and (2)
It seems that only (1) is required, because it supports both WLS OES Admin Server DOMAIN and OES WLS SM DOMAIN
1) Oracle Identity and Access Management (11.1.1.5.0) – OES Administration Server
–> ofm_iam_generic_11.1.1.5.0_disk1_1of1.zip
2) Oracle Entitlements Server Client (11.1.1.5.0) – OES Security Module (SM)
–> ofm_oesclient_generic_11.1.1.5.0_disk1_1of1.zip
v/r, Eric
Hi Eric,
I am happy that you enjoyed reading this blog.
Yes, you can deploy applications into OES Admin domain. That being said, customers are discouraged from running OES Admin and OES SM within the same container (remember that a domain can span multiple containers instances). In addition, I do not think this configuration is supported.
For quick prototyping etc. it is OK to have your OES Admin and SM within the same container. But if you run into any problems, support may ask you to setup OES Admin and SM on separate containers.
When I am playing with OES on my laptop, I generally have OES Admin and SM (+ sample web apps) in the same container and it works without any issues.So I do not think there are any technical limitations. But in QA and production env. you should have them deployed separately.
Bye,
Subbu
Hi Subbu,
Could you explain how to point OES to use external identity store for oracle identity manager so I can reference that store’s users and groups when writing policies?
I always emailed this blog post page to all my
associates, for the reason that if like to read it then my contacts will too.
Thanks for another excellent post. The place else may just anybody get that type of info in such
a perfect manner of writing? I’ve a presentation next week, and I’m on the
search for such info.
I have fun with, result in I discovered exactly what I used
to be looking for. You’ve ended my four day long hunt!
God Bless you man. Have a great day. Bye