It is important to validate the IDM build out for Fusion Apps before you move on to the provisioning of Fusion Apps itself. Problems detected during the IDM build out are much easier to diagnose and fix than problems detected during FA provisioning, FA functional setup or FA operations themselves.
In addition, it is important to have documented validation steps for your Oracle IDM environment to use at other points as well. For instance, you will want to validate your IDM environment when you bring it back online following a backup.
Lastly, you will want to be able to go through validation steps for your IDM environment as a means of debugging IDM related application issues. For example, let’s say people come to you all of the sudden saying they can’t login to a Fusion HCM application. You’ll want to be able to go through the IDM validation steps to see what if anything is wrong with the IDM infrastructure that could be causing this issue.
Again, I wrote this with Fusion Apps in mind but everything here also applies to enterprise Oracle IDM build outs that use OID, OVD, OIM, and OAM. The only differences may be that for an enterprise deployment, the IDM services may be spread out across multiple WLS Domains and the system account being verified in the OID validation step may be different.
Recommended Validation Steps
The following are test cases for validating your IDM environment from bottom to top. We begin with just verifying that all services are running, move onto validating that the directory services are working, and then onto validating that OAM and OIM are working. We finish up with advanced but important tests that validate that SOA suite (the workflow provider for OIM) is working properly with OIM and that OAM/OIM integration is working.
These are descriptive test cases rather than fully documented click by click instructions. If you new to the Oracle IDM stack I encourage you to put in the time to flush this out into click by click instructions.
1) Verify all services are running. Login to IDM Domain admin server and ensure that all managed servers are up and running.
a. Go to environment --> Servers.
b. Make sure that the AdminServer and all 4 Managed Servers (OAM, OIM, SOA, and ODSM) are in Running state
2) Verify ODSM and OID. Go to ODSM connect to OID and verify that you can see all users and JPS root (for policy data).
a. Go to ODSM: http://idmost.mycompany.com:7777/odsm
b. Click on Connect to a directory and choose OID
c. Go to Data Browser and verify the following folders under Root:
idm_jpsroot: this folder should look like this:
dc=com --> dc=mycompany should look like this:
Make sure the following users are present:
Make sure the following groups are there:
f. For each one of the groups below, make sure user membership is as follows:
Groups | Members |
cn=IDM Administrator | cn=weblogic_idm |
cn=OAMAdministrators | cn=oamadmin |
cn=OIMAdminstrators | cn=oimldap |
cn=orclFAGroupReadPrivilegeGroup | cn=idrouser cn=oamldap |
cn=orclFAGroupWritePrivilegeGroup | cn=idrwuser |
cn=orclFAOAMUserWritePrivilegeGroup | cn=oamldap |
Cn=orclFAUserReadPrivilegeGroup | cn=idrouser cn=oamldap |
cn=orclFAUserWritePrefsPrivilegeGroup | cn=idrouser |
cn=orclFAUserWritePrivilegeGroup | cn=idrwuser |
cn=orclPolicyAndCredentialReadPrivilegeGroup | cn=policyrouser |
cn=orclPolicyAndCredentialWritePrivilegeGroup | cn=policyrwuser |
1) 3) Verify OVD
a. Go to ODSM and connect to OVD
b. Go to Data Browser and verify that you can see the dc=mycompany, dc=com tree
c. Verify that you can see change log data. Verify ACL (security) during first validation, but this can be skipped on restart validation.
1) 4) Verify OID and OVD for LDAPS. If doing LDAPS repeat steps 2 and 3 for LDAPS ports
1) 5) Verify OAM admin console
a. Go to OAM admin console and verify that login form is being served through “SSO” virtual host (sso.mycompany.com).
b. Verify that you can see policy data.
c. Sign out, you should see the login screen again.
1) 6) Verify OAM and EM
a. Go to EM and verify that the login form is an OAM login form being served through the “SSO” virtual host (sso.mycompany.com).
b. Verify that EM sees all the IDM services.
c. Logout.
1) 7) Verify OAM and OIM.
a. Go to OIM as xelsysadm and verify that the login form is the OAM login form being served through the “SSO” virtual host.
b. Verify that you can see all the users.
i. Go to Administration
ii. On the left hand side perform a blank search for Users
iii. Verify you can see the users from item #2 above
c. Verify that you can see all the roles.
i. On the left hand side perform a blank search for Users
ii. Verify you can see the groups from item #2 above
1) 8) Verify OIM part 2.
a. Create user and a role in OIM
b. Assign the user you created to the role you created
c. Verify that it all shows up in OID
1) 9) Verify OIM part 3.
a. Create user in OID and assign it to a group.
b. Login to OIM as xelsysadm and do reconciliation for both users and rolls.
c. Verify that you can login as that user into OIM, verify that the user shows up in OIM and that user has role that is mapped to group that you assigned user to in OID.
1) 10) Verify OIM part 4. Verify that SOA is working with OIM.
a. Login to OIM as xelsysadm, create another new role “test role 1”. Logout.
b. Login as the test user you created, go to requests, create request, request for me, self assign role, then select “test role 1”. Logout.
c. Login as xelsysadm and see that the request is awaiting your approval. Approve the request. You’ll have to do the approval twice. The first approval is for the request and the 2nd approval is for the operation.
d. Verify that the test user has been assigned the role they requested.
1) 11) Verify OAM/OIM integration and in particular OIM to OAM connectivity.
a. Create a new user in OIM and assign that user the IDM Administrator role.
b. Login to EM as that user. You should be taken to OIM self service page to reset the user’s password and fill in forgotten password questions. When that is complete you should be taken back to EM without having to login again.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.