Configuration of database security store for Oracle Identity and
Access Management installation is a mandatory step as this is the only type of
security store supported.
Certain scenarios occur when you create the security store
for a domain and due to some configuration issue or for any other reason you
need to associate your existing security store to a new domain. This can be a
painful job if you don't do it correctly. Please follow the below steps to re associate
the security store.
This is also applicable when you clone the existing environment
(db and filesystem) and try to bring up the new environment.
Prerequisites:
- The domain directory with which the store was initially created still exists.
- You must know the password with which store was initially created/configured.
Steps:
- The security store with in your DB is encrypted using an encryption key. The first step is to get that key exported. Let's assume domain1 is the domain initially configured with the security store and domain2 is the new domain that needs to be associated. First export the encryption key using below command -
<MW_HOME>\oracle_common\common\bin\wlst.cmd
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>,
keyFilePassword=<keyFilePassword>)
For eg:
exportEncryptionKey(jpsConfigFile="<MW_HOME>\\user_projects\\domains\\domain1\\config\\fmwconfig\\jps-config.xml",
keyFilePath="anyDir\\key" , keyFilePassword="idm123")
Linux:
<MW_HOME>/oracle_common/common/bin/wlst.sh
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,
keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
For eg:
exportEncryptionKey(jpsConfigFile="<MW_HOME>/user_projects/domains/domain1/config/fmwconfig/jps-config.xml",
keyFilePath="anyDir/key" , keyFilePassword="idm123")
Notes:
1) This command may not run in
one line and you will get the syntax error, in that case just first run
wlst.cmd or wlst.sh, wait for the wlst prompt and then run the function:
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,
keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
2) The path to jpsConfigFile should be of your old domain
(domain1).
<domain1/config/fmwconfig/jps-config.xml>
3) keyFilePath is the path where you want to export the
encryption key.
4) keyFilePassword is the password you used to
create/configure the security store.
- Associating the security store with the new domain (domain2) using join operation. Please run the following command:
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c
IAM -p <opss_schema_password> -m join -k <keyfilepath which is
exported in previous step> -w <keyfilepassword>
For
e.g.
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d
<MW_Home>\user_projects\domains\domain2
-c IAM -p oracle123 -m join -k anyDir -w idm123
Linux:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py
-d <newdomaindir> -c IAM -p <opss_schema_password> -m join -k
<keyfilepath which is exported in previous step> -w
<keyfilepassword>
For e.g.
<MW_HOME>/oracle_common/common/bin/wlst.cmd
<IAM_HOME>/common/tools/configureSecurityStore.py -d
<MW_Home>/user_projects/domains/domain2
-c IAM -p oracle123 -m join -k anyDir -w idm123
Notes:
1) The domain directory should be of new domain.
2) IAM is a static keyword that is used when creating the
security store.
3) OPSS schema password is the one used to login to oracle
db schema.
4) keyFilePath is the path till directory where we exported
the encryption key file in previous step.
5) keyFilePassword is the password used to create the
security store initially.
- This should associate your existing security store with the new domain. To validate please run the below commands:
On
Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m
validate
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\domain2
-m validate
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh
<IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m
validate
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh
<IAM_HOME>/common/tools/configureSecurityStore.py -d
<MW_Home>/user_projects/domains/ domain2 -m validate
Feel free to ask any
questions in the comments
-gaurav
