Configuration of database security store for Oracle Identity and
Access Management installation is a mandatory step as this is the only type of
security store supported.
Certain scenarios occur when you create the security store
for a domain and due to some configuration issue or for any other reason you
need to associate your existing security store to a new domain. This can be a
painful job if you don't do it correctly. Please follow the below steps to re associate
the security store.
This is also applicable when you clone the existing environment
(db and filesystem) and try to bring up the new environment.
Prerequisites:
- The domain directory with which the store was initially created still exists.
- You must know the password with which store was initially created/configured.
Steps:
- The security store with in your DB is encrypted using an encryption key. The first step is to get that key exported. Let's assume domain1 is the domain initially configured with the security store and domain2 is the new domain that needs to be associated. First export the encryption key using below command -
<MW_HOME>\oracle_common\common\bin\wlst.cmd
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>,
keyFilePassword=<keyFilePassword>)
For eg:
exportEncryptionKey(jpsConfigFile="<MW_HOME>\\user_projects\\domains\\domain1\\config\\fmwconfig\\jps-config.xml",
keyFilePath="anyDir\\key" , keyFilePassword="idm123")
Linux:
<MW_HOME>/oracle_common/common/bin/wlst.sh
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,
keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
For eg:
exportEncryptionKey(jpsConfigFile="<MW_HOME>/user_projects/domains/domain1/config/fmwconfig/jps-config.xml",
keyFilePath="anyDir/key" , keyFilePassword="idm123")
Notes:
1) This command may not run in
one line and you will get the syntax error, in that case just first run
wlst.cmd or wlst.sh, wait for the wlst prompt and then run the function:
exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,
keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)
2) The path to jpsConfigFile should be of your old domain
(domain1).
<domain1/config/fmwconfig/jps-config.xml>
3) keyFilePath is the path where you want to export the
encryption key.
4) keyFilePassword is the password you used to
create/configure the security store.
- Associating the security store with the new domain (domain2) using join operation. Please run the following command:
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c
IAM -p <opss_schema_password> -m join -k <keyfilepath which is
exported in previous step> -w <keyfilepassword>
For
e.g.
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d
<MW_Home>\user_projects\domains\domain2
-c IAM -p oracle123 -m join -k anyDir -w idm123
Linux:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py
-d <newdomaindir> -c IAM -p <opss_schema_password> -m join -k
<keyfilepath which is exported in previous step> -w
<keyfilepassword>
For e.g.
<MW_HOME>/oracle_common/common/bin/wlst.cmd
<IAM_HOME>/common/tools/configureSecurityStore.py -d
<MW_Home>/user_projects/domains/domain2
-c IAM -p oracle123 -m join -k anyDir -w idm123
Notes:
1) The domain directory should be of new domain.
2) IAM is a static keyword that is used when creating the
security store.
3) OPSS schema password is the one used to login to oracle
db schema.
4) keyFilePath is the path till directory where we exported
the encryption key file in previous step.
5) keyFilePassword is the password used to create the
security store initially.
- This should associate your existing security store with the new domain. To validate please run the below commands:
On
Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m
validate
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd
<IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\domain2
-m validate
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh
<IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m
validate
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh
<IAM_HOME>/common/tools/configureSecurityStore.py -d
<MW_Home>/user_projects/domains/ domain2 -m validate
Feel free to ask any
questions in the comments
-gaurav
Hi Gaurav,
ReplyDeleteThis post is very helpful.
Could you please let me know where this script (configureSecurityStore.py ) needs to be run. I mean source (domain1) machine or target machine (domain2).
Thanks in Advance.
Thanks and Sorry Chandra, just missed seeing the comment. It has to be run on target.
DeleteThanks,
Gaurav
This comment has been removed by the author.
ReplyDeletehow to find keyfilepath in windows7..?
ReplyDeleteI have a domain running in 12.1.2 with opss, audit services and stb schemas and wanted it to migrate and use it to an existing created 12.2 FMW domain ? just pointing the RCU datasource throwing access errors starting weblogic in 12.2.
ReplyDeleteIn this case, what would the steps to reuse the 12.1.2 opss schema with a 12.2 domain
Hi Gaurav..thanks for your post ..I am able to generate the key in step1 but when i am going to step2 ..I am getting error & which is - Failed to join security store , unable to locate diagnostics data...join operation failed ...please help here. Thanks Randhir
ReplyDeleteCan you paste the full command here?
DeleteHi Gaurav...the full command is - > ./wlst.sh/app/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /app/Middleware/user_projects/domains/oamdomain -c IAM -p Oracle123 -m join /tmp/key Oracle123
ReplyDeleteError Message is -> oracle.security.jps.service.keystore.KeyStoreServiceException : Failed to perform cryptographic operation.... Error : Failed to join security store , unable to locate diagnostic data....Error : Join Operation has failed.
ReplyDeleteIn PS3 the joining feature is not supported. Please refer to the below note:
ReplyDeletehttps://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=435386614692495&id=2124046.1&_afrWindowMode=0&_adf.ctrl-state=9qvs3ij9g_58
Hello Gaurav,
ReplyDeleteWe have exported the Wallet from the Primary Node using the below command and when running the “Join” Command and it is failing with the Error "Join Operation Failed".
Steps Followed:
1.1.1. Export the Wallet:
1. SSH into the Primary node and run the following commands to export the OPSS wallet
mkdir ~/opam_wallet
$MW_HOME/oracle_common/common/bin/wlst.sh
exportEncryptionKey(jpsConfigFile="/u01/oracle/products/fmw/user_projects/domains//config/fmwconfig/jps-config.xml", keyFilePath="/home/oracle/opam_wallet", keyFilePassword="")
exit()
cp $MW_HOME/user_projects/domains//config/fmwconfig/default-keystore.jks ~/opam_wallet/
2. On the DR BUI node, run the following commands
mkdir ~/opam_wallet
cd ~/opam_wallet
scp :/home/oracle/opam_wallet/* .
1.1.2. Configure the Security Store (JOIN)
Step Description
1. SSH into the DR node as your named user and become the middleware user
2. Change working directory to the domain home directory
cd $MW_HOME/user_projects/domains/
3. Run the following commands (both commands are one-liners):
$MW_HOME/oracle_common/common/bin/wlst.sh /u01/oracle/products/fmw/Oracle_IDM1/common/tools/configureSecurityStore.py -d /u01/oracle/products/fmw/user_projects/domains// -c IAM -u -p -m join -k /home/oracle/opam_wallet -w
Fails at this Step
Please help if you have seen this before! Thanks in advance!
Please let me know your email address so I can send the screenshot which shows the output of the command.
Regards,
Vineet