2 Preparing for Installation

2.3.1 About the Network Time Protocol

To synchronize 10g (10.1.4.0.1) components across geographically diverse time zones, you can use the Network Time Protocol (NTP). NTP can synchronize the time on machines to within a few milliseconds. For more information about time synchronization, go to the Web site:

http://www.ntp.org/

and the comp.protocols.time.ntp news group.

An ntp.conf file at minimum would contain the following:

server <some NTP server name>.com

driftfile /etc/ntp.drift

Instructions for creating the ntp.conf file can be found at the following locations:

• http://www.sun.com/products-n-solutions/hardware/docs/html/816-3626-10/after.html

• http://inetsd01.boulder.ibm.com/pseries/fr_FR/files/aixfiles/ntp.conf.htm

• http://www.developer.ibm.com/tech/faq/individual/0,,2:14789,00.html

Unix machines use UTC (also known as GMT) internally and convert to the local time that is needed on the display. Windows machines keep the clock in local time, but NTP synchronization programs compensate to ensure accurate times on Windows.

2.4.1 General Guidelines

You need a supported host machine for each component, which you can find as described in "Confirming Platform Requirements". In addition:

• Administrative Rights: The account that performs component installation must have administration privileges. Both the Identity Server and Access Server run as services. The user account that is used to run the Identity Server and Access Server services must have the "Log on as a service" right, which can be set through Administrative Tools, Local Security Policy, Local Policies, User Rights Assignments, Log on as a service.

  • On Microsoft Windows—The user account that is used to run the Identity Server service must have the right to "Log on as a service". This can be set through Administrative Tools. For example:

    Administrative Tools, Local Security Policy, Local Policies

    User Rights Assignments, Log on as a service

  • On Unix Platforms—You will be asked to specify the username and group that the Identity Server will use: typically, the defaults are "nobody"; for HP-UX, the defaults are WWW (username) and others (group). Confirm that the right commands are installed and verify the user name under which your Web server runs. For example:

  1. Locate the following commands (usually found in /usr/bin, /usr/sbin, or /usr/csb) and make sure their location is included in the search path:

     sed, tar, cp, ls, mkdir, rmdir

  2. The user name under which your Web server runs could be nobody, root, or some other user name, such as Web. You can determine this by checking your Web server configuration files or by running your Web server's administration console and looking under View Server Settings.

• Machines Online: Before installation, you must be able to ping the machine on which each component will run. Also, during installation you will be asked to supply the DNS host name of the machine on which the Identity Server and Access Server are installed.

• Linux Libraries: Before installing components on Linux machines, you need to install additional GCC runtime libraries (libgcc_s.so.1 and libstdc++.so.5) that are compatible with GCC 3.3.2. See "Preparing Linux Host Machines".

• Component Security: During installation, you must specify the transport security mode for communication between Oracle Access Manager components. See "Securing Oracle Access Manager Component Communications".

• Directory Security: During installation (Identity Server, Policy Manager, and Access Server), you must specify the hostname, DN, and transport security mode for the directory server with which the components will communicate. See "Meeting Directory Server Requirements" for this and other important information.

• Existing Identity Server Name: If you want to reuse an existing Identity Server name, see "Recycling an Identity Server Instance Name".

• Cancel Installation: If you need to cancel an installation or remove an installed component, see "Uninstalling Oracle Access Manager Components".

• Multi-Language Environments:

  • If you are installing on a machine with an operating system that is non-English (AMERICAN) language or locale, you may set theLANG environment variable or the optional NLS_LANG or COREID_NLS_LANG environment variables.

  • If you install an Identity Server with one or more Oracle-supplied Language Packs you must install WebPass with the same Language Packs (and install corresponding Access System Language Packs with all Access System components.

  • If you are installing components with a Language Pack on a Unix system, you must ensure that the Language Pack installer resides in the same directory as the component and that the Language Pack installer has execute permissions before launching the main installer. For example:

    chmod +x "Oracle_Access_Manager10_1_4_0_1_FR_sparc-s2_LP_Identity_System"
    chmod +x "Oracle_Access_Manager10_1_4_0_1_FR_sparc-s2_LP_Access_System"
    
    

    For more information, see Chapter 3, "About Multi-Language Environments".

2.4.2 Preparing Linux Host Machines

During installation of Oracle Access Manager components on a Linux machine, you are asked to specify the location of additional GCC runtime libraries (libgcc_s.so.1 and libstdc++.so.5) that should be compatible with GCC 3.3.2. Oracle does not ship theses nor make these available for download from an Oracle Web site. If you need to obtain these libraries, contact your platform vendor.

To install libgcc_s.so.1 and libstdc++.so.5 on Linux hosts

1. Obtain the libgcc_s.so.1 and libstdc++.so.5 libraries from your platform vendor.

2. Store the following files on the local Linux machine on which you will install one or more Oracle Access Manager components:

   libgcc_s.so.1

   libstdc++.so.5

3. During Oracle Access Manager installation, specify the location of the libraries on the local machine and continue the installation.

2.4.3 Identity System Guidelines

The Identity Server does not need to be on the same host system as any other Oracle Access Manager component or application. Oracle recommends you install the Identity Server and Access Server on different machines. Further, the Identity Server does not need to be on the same host system as any other Oracle Access Manager component or application. For details about installing one or more Identity Servers, see Chapter 4, "Installing the Identity Server".

Each Web server instance that communicates with the Identity Server must be configured with a WebPass. One WebPass can communicate with multiple Identity Servers. More than one WebPass can communicate with the same Identity Server, which is recommended for load balancing. See also "Synchronizing System Clocks".

The WebPass instance identifier that you specify during installation must be unique. The WebPass instance identifier is not validated until after the installation, when the Web server is started.

A WebPass must also be installed with each Policy Manager on the same Web server instance, at the same directory level.

For details about installing one or more WebPass instances, see Chapter 5, "Installing WebPass".

During Identity System setup, you need to define a user who will be granted access to all Oracle Access Manager functionality. This is the Master Administrator. For more information, see Chapter 6, "Setting Up the Identity System".

2.4.4 Access System Guidelines

The following discussions outline Access System requirements and guidelines:

• Policy Manager Guidelines

• Access Server Guidelines

• WebGate Guidelines

2.4.5 Assessing Disk Space Requirements

Table 2-1 provides estimates regarding the free disk space needed for each component are provided for your convenience.

2.4.6 Choosing an Installation Directory

You may install components in the default directory or in a directory of your choosing. When you change the path name, you may include any characters that are acceptable to your operating system. For example, you may include spaces on Windows systems but not on Unix systems.

Be sure that all file and path names include only English language characters. In file and path names, no international characters are allowed.

In any case, it is a good idea to use consistent naming regardless of platform. For example, you can use an underscore rather than a space in names on Windows platforms. Typically, the default installation directory for Oracle Access Manager is as follows:

Windows Platforms: \Program Files\COREid\

Unix Platforms: /opt/coreid/ (all lowercase)

Depending on the component you are installing, the path will vary slightly as shown in Table 2-2. For example:

• \identity is appended automatically to all Identity component path names

• \access is appended automatically to all Access component path names

• \WebComponent is included automatically (along with either \identity or \access) in the default path name for WebPass, Policy Manager, and WebGate installations

In this manual, the installation directory path for each Oracle Access Manager component will be expressed as \Component_install_dir followed by any suffix that is automatically appended to this path, as shown in Table 2-2. When the generic form is used, Component_install_dir, a generic suffix, identity|access, follows: for example, Component_install_dir/identity|access.

When launching a Oracle Access Manager installation on a Unix system, you can direct an installation to a directory with sufficient space using the -is:tempdir path parameter.

To specify a temporary directory on Unix systems

1. Use the -is:tempdir parameter in the following command. For example:

   ./ Oracle_Access_Manager10_1_4_0_1_sparc-s2_Identity_Server -is:tempdir /export/home/oblix/temp

   The path must be an absolute path, not a relative path.

2. The path /export/home/oblix/temp should be replaced with a file system with sufficient space.

2.4.7 Securing Oracle Access Manager Component Communications

Before installation, you must decide which type of transport security you will use between components. Oracle Access Manager supports three types of transport security for communication that occurs between components:

• Open: Allows unencrypted communication, see "Open Mode"

• Simple: Supports encryption by Oracle, see "Simple Mode"

• Cert: Requires a third-party certificate, see "Cert Mode"

2.5.1 Web Server-Specific Installation Packages

Separate Web server-specific installation packages are provided for WebPass, Policy Manager, and WebGate components. Be sure to choose the appropriate installation package for your Web server and platform:

• ISAPI: An Internet Web server extension that Oracle Access Manager uses to identify Web server components that communicate with the Microsoft Internet Information Server (IIS Web server for Windows environments).

• NSAPI: An Internet Web server extension that Oracle Access Manager uses to identify Web components that communicate with the Sun (formerly Netscape/iPlanet) Web servers running on either Windows or Solaris.

• Apache: An Internet Web server extension that Oracle Access Manager uses to identify Web components that communicate with the Apache Web servers running on various platforms including Windows, Solaris, and Linux. For details, see "Confirming Platform Requirements"

  
  

  Note: Oracle Access Manager supports Apache with or without SSL enabled. For SSL-enabled communication, Apache with mod_ssl only is supported, not Apache-SSL. mod_ssl is a derivative of, and alternative to, Apache-SSL.

  
  

  Oracle Access Manager 10g (10.1.4.0.1) provide a single package for components that supports Apache with or without SSL enabled. For example:

  • The APACHE_WebGate supports v1.3.x with or without SSL, as described in Chapter 16, "Configuring the Apache v1.3 and Oracle HTTP Server Web Servers".

  • The APACHE2_WebGate supports v2 with or without SSL (and with or without reverse proxy enabled on Solaris and Linux). See also Chapter 17, "Configuring Apache v2, IHS, and OHS Web Servers for Oracle Access Manager".

• IHS: An Internet Web server extension that identifies Oracle Access Manager Web components that communicate with the IBM HTTP (IHS) Web servers powered by Apache running on various platforms. For example:

  • IHS_WebGate powered by Apache v.1.3.x on Solaris, Linux, and Windows

  • IHS2_WebGate powered by Apache v2 on IBM-AIX: See Chapter 17, "Configuring Apache v2, IHS, and OHS Web Servers for Oracle Access Manager".

• OHS: An Internet Web server extension that identifies Oracle Access Manager Web components that communicate with the Oracle HTTP Server (OHS). Oracle provides OHS Web components based on open source Apache v1.3 (named OHS_...) and v2 (named OHS2_...). 10g (10.1.4.0.1) provides WebPass, Policy Manager, and WebGate components that can be installed on a standalone Oracle HTTP Server on Linux and Windows platforms.

  • An OHS or OHS2 WebGate must be installed on the Oracle Application Server to enable integration with Oracle single sign-on as described in the Oracle Access Manager Access Administration Guide.

  • OHS or OHS2 WebPass and "Access Manager" (original name represents the Policy Manager Web component) may be used with the Oracle Application Server. However, Apache WebPass and Access Manager (Policy Manager) Web components are also supported for this application.

  See Chapter 16, "Configuring the Apache v1.3 and Oracle HTTP Server Web Servers" and Chapter 17, "Configuring Apache v2, IHS, and OHS Web Servers for Oracle Access Manager" for details. For version support, see the Certify tab on https://metalink.oracle.com.

• Domino: An Internet Web server extension that Oracle Access Manager uses to identify Web components that communicate with Lotus Domino Web servers running on various platforms.

  See Chapter 18, "Setting Up Lotus Domino Web Servers for WebGates". For version support, see the Certify tab on https://metalink.oracle.com.

2.5.2 General Considerations for Web Servers

It's a good idea to familiarize yourself with the following general considerations for Web servers in Oracle Access Manager installations:

• Each instance of the Identity Server communicates with a Web server through a WebPass plug-in that must be installed on a Web server host.

  If you install Policy Manager and WebPass on the same Web server, you must place them at the same directory level. For example, if you specify C:\COREid\WebComponent as the WebPass installation directory, you must also specify this as the Policy Manager installation directory when the two components will reside on the same machine. \identity is appended to the WebPass installation directory and \access is appended to the Policy Manager installation directory.

• During WebPass, Policy Manager, and WebGate installation, your Web server must be configured to work with Oracle Access Manager. You can direct this Web server configuration update to occur either automatically or manually.

  
  

  Note: Oracle recommends that you use the automatic configuration option to streamline the Web server update process and avoid errors.

  
  

• When accessing the Identity System or Policy Manager, you must specify the hostname of the Web server for the WebPass instance that connects to the targeted Identity System or Policy Manager and the HTTP port of the WebPass Web server instance.

• Additional guidelines for WebGate Web servers are discussed in "WebGate Guidelines".

• On a Unix system during WebPass, Policy Manager, and WebGate installation, you must specify the user name and group that the Web server will use. Typically, the defaults are nobody. For HP-UX, the defaults are WWW (username) and others (group).

• On Linux systems, when installing Oracle Access Manager Web components with Apache and OHS you are prompted to install as the same user under which the Web server is running. This information is located in the httpd.conf file in the User and Group directive entries.

2.6.1 Assigning a Bind DN

During installation and setup of the Identity Server and Policy Manager, you are asked to provide a bind DN (also known as Root DN in Oracle Access Manager). The directory account that Oracle Access Manager binds to should have Read, Write, Add, Delete, Search, Compare, and Selfwrite permissions. The method to create a user with these privileges varies among directory vendors. See your directory documentation for details.

Be sure that the native directory access control instructions (ACIs) and access control lists (ACLs) do not restrict the Oracle Access Manager bind DN account access to the user and configuration branches. Otherwise, the Oracle Access Manager bind DN may be affected by native directory server constraints such as password policies.

In addition, the user you create as the bind DN must have access to the schema when Oracle Access Manager software upgrades are performed, because the schema may be modified during the upgrade. If the schema is not accessible to the bind DN, the upgrade will fail, then manual action will be required to complete the upgrade. This includes having the ACLs modify directory schema entries.

Take the following guidelines into account:

Oracle Internet Directory: When installing the Identity Server with Oracle Internet Directory, you must designate the Root DN as the super user cn=orcladmin (not the fully qualified DN cn=orcladmin,cn=users,dc=us,dc=mycompany,dc=com.

Sun (formerly iPlanet): Oracle recommends that the bind DN user is not Directory Manager. Instead, create another user as a bind DN. The Directory Manager account will ignore your directory server's size and timeout limits. As a result, large searches could tie up the directory server.

For more information, see also "User Data and the Searchbase".

2.6.2 Assessing Directory Server Space

The directory server should have at least 1 KB of RAM for each user object. Each Oracle object should have at least 16 KB of RAM. The following information is provided to help you calculate the space that will be required for your installation:

• A directory server with 250,000 user objects requires ~250 MB of RAM.

• A directory of this size may have 5,000 Oracle objects (a high estimate for 250,000 user entries), which would require an additional 80 MB.

• The indexes for this amount of data would require about twice the space of Oracle objects, approximately 160 MB.

2.6.3 Securing Directory Server Communications

The Identity Server, Policy Manager, and Access Server communicate with the directory server. During Oracle Access Manager installation and setup, default directory profiles are created for the components that communicate with the directory server. Each directory profile includes a database (DB) instance profile where the directory server communication method is indicated, among other things. Two communication methods are available between Oracle Access Manager and the directory server: unsecured or secured. Secure communication between Oracle Access Manager and the directory server is also known as SSL-enabled. Unsecured communication is also referred to as Open.

Oracle Access Manager supports CA certificates in base64 format. SSL-enabled communication requires a signer's certificate (root CA certificate) from a third-party Certificate Authority in base64 format. For example, if you want to use SSL between a Identity Server and directory server, you will be prompted to provide the path to the certificate to establish SSL-enabled communication during Identity Server installation. In this case, a certificate must be installed on your directory server according to the instructions for the directory server. The directory server should not require client authentication (see the directory server documentation for instructions).

When configuring SSL for the directory server, note that Oracle Access Manager supports server authentication only. Client authentication is not supported. Oracle Access Manager verifies the server certificate against the Root CA certificate that you imported during product setup.

2.6.4 Data Storage Requirements

This discussion provides details about data storage options and requirements. This information affects the Identity Server, Policy Manager, and Access Server.

All Directory Server Types: Oracle Access Manager supports storing user data, Oracle Access Manager configuration data, and policy data on a single directory server. In addition, you can store user data separately on one directory server type and Oracle Access Manager configuration and policy data on a different type of directory server. For example, you may store user data in Active Directory and Oracle Access Manager configuration and policy data on ADAM (or Oracle Internet Directory). When storing user data on a separate directory server type from configuration and policy data:

• All user data must be stored on the same directory server type.

• Configuration and policy data must be stored on the same type of directory server.

• With SSL, separate root CA's are supported.

Figure 2-1 illustrates storing user data in a separate directory server type from configuration and policy data.

If the data is stored in different directory types, the user data searchbase, configuration DN, and policy base, should be unique.

During Oracle Access Manager installation and setup, you need to select proper user and configuration directory server types for your environment.

When you have configuration and policy data stored together in a different directory server type from user data, the following file comes into play:

IdentityServer_install_dir\identity\oblix\data\common\ldaposdreferentialintegrityparams.xml

This is because the "referential_integrity_using" Value="oblix" in the ldapreferentialintegrityparams.xml file does not apply when configuration and policy data are stored on a different directory server type from user data

Also, in this case, the following files are used by the Identity System and Access System to map servers to DB profiles rather than the original exclude_attrs files:

IdentityServer_install_dir\identity\oblix\data\common\

exclude_user_attrs.xml

exclude_oblix_attrs.xml

PolicyManager_install_dir\access\oblix\data\common\

AccessServer_install_dir\access\oblix\data\common\

exclude_oblix_attrs.lst

All parameters for the user data directory server are read using the DB profile. For the configuration data directory server, the DB subtype is read from:

Component_install_dir\identity|access\oblix\config\ldap\*DB.xml

Data Anywhere: This directory server option is available for only the user data directory server and implementation with Oracle Virtual Directory described in Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory".Data Anywhere is a data management layer that aggregates and consolidates user data from multiple sources (including RDBMS and LDAP directories) into a virtual LDAP tree that can be managed by the Identity System and used to support authentication and authorization using the Access System. The LDAP directory branches containing Oracle Access Manager configuration and policy data must reside on one or more directory servers other than the one hosting VDS or user data. Oracle Access Manager applications only recognize configuration and policy information that resides outside the VDS virtual directory.

IBM Directory Server (formerly SecureWay): See preceding details for all directory server types.

Oracle Internet Directory, and Sun: Oracle Access Manager supports storing user data separately from configuration and policy data with Oracle Internet Directory (multiple realms), and Sun directory servers. With these directory servers, you can store data either together on the same directory server or on different directory servers of the same type. For example:

• User data may be stored either separately or with configuration data.

• Configuration data may be stored separately or with user data.

• Policy data may either be stored separately or with user data.

If data is stored in different directories, the user data searchbase, configuration DN, and policy base should be disjoint. In other words, these DNs must be unique if you are storing your policy and configuration data in different Sun directories, or multiple Oracle Internet Directory realms.

If you intend to have more than one user data directory and searchbase, be sure to specify the main user data directory and searchbase during installation and setup.

Active Directory, ADAM, and Novell eDirectory Caveats

Due to the strict adherence to referential integrity by Novell's eDirectory, Active Directory, and Active Directory Application Mode (ADAM), Oracle Access Manager configuration data and policy data must be stored under a common directory environment. Novell eDirectory, Active Directory, and ADAM are more rigid in the implementation of LDAP and will enforce referential integrity. These directory servers will not allow data in two separate trees/forests with cross references [like DN references] to each other.With Oracle Access Manager, what is meant by having separate directories for user versus product configuration data and policy data is that you can have separate LDAP [disjoint] trees on different servers all of which happen to be in the same Novell directory server tree or Active Directory forest. Oracle Access Manager configuration data and policy data can be stored in separate parts of the overall directory environment, which does allow for a level of segregation of the Oracle Access Manager-specific information away from your user data.

On Active Directory: In an Active Directory environment you may store Oracle Access Manager configuration data on one specific domain controller and policy data on another. The policy data and configuration data domain controllers should be in the same forest. user data may reside in a different forest. It is important that replication be either avoided, or very well understood. For more information, see Appendix A, "Installing Oracle Access Manager with Active Directory".

When storing user data on a separate directory server type from configuration and policy data, auxiliary class support should match. Oracle Access Manager does not support a mixed mode for dynamic-auxiliary support. You can connect to either the user data directory server or configuration data directory server using ADSI, if they are in separate forests. ADSI does not allow a bind against both forests at the same time. With ADSI enabled for:

• The User Data Directory Server—During Identity Server and Policy Manager setup, if ADSI is selected for the user data directory server type then the ADSI checkbox is not available when choosing configuration directory server type details.

• The Configuration Data Server—When this directory type is ADSI enabled:

  • In the globalparams.xml file on the Identity Server, the parameter "IsADSIEnabled" and value "true" should appear.

  • In the globalparams.lst file on the Policy Manager, the parameter "adsiEnabled"=true appears.

    The dbSubType "adsiEnabled" flags for Active Directory are read using the DB profile. Its value is ADSI when ADSI is enabled for the user data directory server. The ActiveDirectory and ADAM flags are removed from the globalparams.xml files.

    See Appendix A, "Installing Oracle Access Manager with Active Directory" for more information.

If the user data directory server type is Active Directory, content of exclude_attrs-ad.xml are copied to:

IdentityServer_install_dir\identity\oblix\data\common\exclude_user_attrs.xml

If the configuration and policy data directory type is Active Directory, content of exclude_attrs-ad.xml .lst are copied to the following locations:

IdentityServer_install_dir\identity\oblix\data\common\exclude_oblix_attrs.xml

PolicyManager_install_dir \access\oblix\data\common\exclude_oblix_attrs.lst

AccessServer_install_dir\access\oblix\data\common\exclude_oblix_attrs.lst

With ADAM: Data can be stored as follows:

• User data may be stored on a different partition from configuration and policy data.

• User data may be stored on a separate directory server type from configuration and policy data.

• Oracle Access Manager requires a node with the object class attribute value of organizationalUnit (ou) for the configuration and policy DNs.

• Configuration and policy data can share the same ADAM instance or be stored on different ADAM instances.

For more information, see Appendix B, "Installing Oracle Access Manager with ADAM".

Novell eDirectory: To avoid problems with GroupOfUniqueNames, change the class mapping for Groups in the LDAP Group object to reference GroupOfUniqueNames instead of groupOfNames (the default). Otherwise, each time you save any attribute, the schema may be violated and your groups may not work correctly. For example, for NDS the "groupOfUniqueNames" LDAP group object should be listed before the "groupOfNames" object.

To change the order using the NDS Console1

1. Expand the NDS tree.

2. For the NDS node in the left pane, right-click the "LDAP Group" object in the right pane and select Properties, Class Map tab.

3. Change the order in which the two group objects appear.

   See your Novell eDirectory documentation for details about adding this mapping.

2.6.5 User Data and the Searchbase

User data consists of user directory entries managed by the Identity System. This data includes the information related to users, groups, locations, and other generic objects managed by the Identity System.

When installing Oracle Access Manager, you need to provide the following information to set up the main directory server profile:

• Directory server type where user data is stored

• Bind information, including the DNS host name, port, user name (bind DN), password

• Searchbase, to identify the node in the directory information tree (DIT) under which this data is stored and the highest possible base for all user data searches

  
  

  Note: If you intend to have more than one user data directory and searchbase, you must specify the main user data directory and searchbase during installation and setup. After setup, you must manually add one or more database profiles to add the disjoint namespaces.

  
  

• Master Administrators (one or more)

Automatically updating the directory during setup is recommended to load Oracle Access Manager schema classes with configuration information.

Be sure to observe the following guidelines apply:

Oracle Internet Directory: When installing the Identity Server with Oracle Internet Directory, you must designate the Root DN as the super user cn=orcladmin, not the fully qualified DN (for example, not cn=orcladmin,cn=users,dc=us,dc=mycompany,dc=com).

Sun (formerly iPlanet): Oracle recommends that the bind DN user is not Directory Manager. Instead, create another user as a bind DN. The Directory Manager account will ignore your directory server's size and timeout limits. As a result, large searches could tie up the directory server.

For more information, see "Data Storage Requirements".

2.6.6 Configuration Data and the Configuration DN

Configuration data (Oracle Access Manager configuration details), are stored in the directory. This data includes workflow and configuration information that governs the appearance and functionality of the Identity System and Access System. Configuration data is managed by the Identity System.

When installing Oracle Access Manager, you need to provide details for the directory server where you plan to store configuration data. If you store configuration data and user data together, this information will be the same. The following caveats apply:

• The bind DN for configuration data may be anywhere except at the base suffix.

• A bind DN for configuration data (known as the configuration DN) is similar to the searchbase for user data and must be specified to identify the node in the DIT under which the Oracle Access Manager schema and all configuration data is stored for the Identity and Access Systems.

• Additional caveats may apply, as described under "Data Storage Requirements".

Again, automatically updating the directory during setup is recommended to load Oracle Access Manager schema classes with configuration information.

Oracle Internet Directory: With Oracle Internet Directory, the configuration DN value is populated from the context of the identity management realm (cn=OracleContext). Also by default, the searchbase is the same as the configuration DN. For multiple realm installations, see the Oracle Access Manager Identity and Common Administration Guide for details about setting up a disjoint searchbase after installing and setting up the Identity System.

2.6.7 Policy Data and the Policy base

Policy data consists of policy definitions and rules that govern access to resources. This data is maintained in the directory server by the Policy Manager.

When installing Oracle Access Manager, you need to provide details for the directory server where you plan to install policy data. If you store policy data separately from user data, directory server details will differ from those specified for user or configuration data. For more information, see "Data Storage Requirements".

During Policy Manager setup, you must also provide the policy base to identify the location in the DIT under which all Oracle Access Manager policy data is stored and the highest possible base for all policy searches. Accepting the default "/" as the policy domain when setting up the Policy Manager protects the entire Web server.

2.6.8 About Person and Group Object Classes

Oracle Access Manager supports User and Group as standard Person and Group object classes, respectively. In addition, Oracle Access Manager supports User and Group.

The Person object class defines the user's profile information. If you do not have a specific object class to use, Oracle Access Manager can automatically configure commonly found Person object class definitions.

Person Object Class

• User: Active Directory

• InetOrgPerson: ADAM, Data Anywhere (Oracle Virtual Directory), IBM, Oracle Internet Directory, and Sun directory servers

• organizationalPerson: NDS

The Group object class defines group attributes. If you do not have a specific object class to use, Oracle Access Manager can automatically configure commonly found Group object class definitions as follows:

Group Object Class

• Group: Active Directory

• GroupofUniqueNames: ADAM, Data Anywhere, IBM, NDS, Oracle Internet Directory, and Sun directory servers