Configuring Security store for Oracle IAM environment - IDM domain

Preparing for configuration of secure store

export IAM_HOME=/u01/app/Middleware/Oracle_IDM1

Lets see the help for configuresecuritystore.py

oracle_common/common/bin/wlst.sh IDM_HOME/common/tools/configuresecuritystore.py
-h  --help                       Prints usage message.
-d  --domaindir                  The directory of domain.
-s  --datasource                 The data source of security store configured in domain. It is optional, default value is "opss-DBDS".
-f  --farmname                   The security store farm name. It is optional, default value is the domain name.
-t  --servertype                 The policy store type, using "DB_ORACLE", "DB_DERBY", or "OID". It is optional, default value is "DB_ORACLE".
-j  --jpsroot                    The distinguished name of jpsroot. It is optional, default value is "cn=jpsroot".
-m                               Option to control domain configuration and data migration. It is optional, default value is create.
    create        - security store is populated with data and domain is configured to use newly populated policy store. This is the default.
    join          - domain is configured to uptake an existing security store, and security data is migrated to the security store. meanwhile, the encryption key for credential store will be imported as well.
    validate      - validate whether diagnostics data saved in the credential store successfully.
    validate_fix  - fix diagnostics data if it is not saved in the credential store.
    fixjse        - update JSE policy store password credential.
    --create_diagnostic_data         Create diagnostic data when upgrading OES 11g PS1 to OES 11g R2, only available when "-m join" has been set.
-c  --config                     The configuration mode of domain, using "IAM" to configure IAM mode. It is optional, default value is None.
-a  --admin                      The admin user name of OID.
-l  --ldapurl                    The url of OID.
-p  --passcode                   Policy store schema password. If not specified user will be prompted for password.
-k  --keyfilepath                The directory containing the security store data encrpytion key file ewallet.p12. If "-m join" is specified, the option is mandatory.
-w  --keyfilepassword            The password used when the encrpytion key was generated. If "-m join" is specified, the option is mandatory.
-u  --username                   The user name of JSE password credential. If "-m fixjse" is specified, this option is mandatory.

Lets create the security store

$ wlst $IAM_HOME/common/tools/configureSecurityStore.py \
-d /u01/app/mytest/user_projects/domains/idm_domain \
-c IAM  -m create

CLASSPATH=/u01/app/oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/mytest/jdk1.8.0_65/lib/tools.jar:/u01/app/oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/app/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/u01/app/oracle/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/u01/app/oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/u01/app/oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/app/oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/u01/app/oracle/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/lib/adfscripting.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/igfwlsthelp.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar:/u01/app/oracle/Middleware/utils/config/10.3/config-launch.jar::/u01/app/oracle/Middleware/wlserver_10.3/common/derby/lib/derbynet.jar:/u01/app/oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/app/oracle/Middleware/wlserver_10.3/common/derby/lib/derbytools.jar::
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=128m; support was removed in 8.0

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Info: Data source is: opss-DBDS
Please input data source password:
Info: DB JDBC driver: oracle.jdbc.OracleDriver
Info: DB JDBC URL: jdbc:oracle:thin:@mydb.vybhava.com:1521/ORCL12C
Connected:oracle.jdbc.driver.T4CConnection@70163ce4
Disconnect:oracle.jdbc.driver.T4CConnection@70163ce4
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSetup - done
May 03, 2016 11:17:21 PM oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator schemaCompatibleHandler
INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
May 03, 2016 11:17:23 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData
INFO: Migration of Credential Store data in progress.....
May 03, 2016 11:17:23 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData
INFO: Migration of Credential Store data completed, Time taken for migration is 00:00:00
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  testJpsService - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSetup - done
May 03, 2016 11:17:23 PM oracle.security.jps.internal.config.ldap.LdapKeyStoreServiceConfigurator schemaCompatibleHandler
INFO: Keystore schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  testJpsService - done
May 03, 2016 11:17:24 PM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
May 03, 2016 11:17:24 PM oracle.security.jps.internal.config.ldap.LdapPolicyStoreServiceConfigurator schemaCompatibleHandler
INFO: Policy schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  updateServiceConfiguration - done
May 03, 2016 11:17:24 PM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
WLS ManagedService is not up running. Fall back to use system properties for configuration.
May 03, 2016 11:17:33 PM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateData
INFO: Migration of Admin Role Members started
May 03, 2016 11:17:33 PM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateData
INFO: Migration of Admin Role Members completed in 00:00:00
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  testJpsService - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSetup - done
May 03, 2016 11:17:33 PM oracle.security.jps.internal.config.ldap.LdapAuditServiceConfigurator schemaCompatibleHandler
INFO: Audit store schema upgrade not required. Store Schema version 11.1.1.7.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  seedSchemaAndCreateDIT - done
May 03, 2016 11:17:33 PM oracle.security.jps.internal.audit.AuditServiceImpl registerInternal
WARNING: Cannot register to audit service for component "JPS".
May 03, 2016 11:17:33 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData
INFO: Migration of Audit Store data in progress.....
May 03, 2016 11:18:17 PM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData
INFO: Migration of Audit Store data completed, Time taken for migration is 00:00:43
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  migrateData - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  testJpsService - done
persist to output: /u01/app/mytest/user_projects/domains/idm_domain/config/fmwconfig - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator]  updateServiceConfiguration - done
May 03, 2016 11:18:22 PM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator]  updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator]  updateServiceConfiguration - done
persist to output: /u01/app/mytest/user_projects/domains/idm_domain/config/fmwconfig - done
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
May 03, 2016 11:18:27 PM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
May 03, 2016 11:18:35 PM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
Using default context in /u01/app/mytest/user_projects/domains/idm_domain/config/fmwconfig/jps-config-migration.xml file for credential store.
Credential store location : jdbc:oracle:thin:@mydb.vybhava.com:1521/ORCL12C
Credential with map Oracle-IAM-Security-Store-Diagnostics key Test-Cred stored successfully!


        Credential for map Oracle-IAM-Security-Store-Diagnostics and key Test-Cred is:
                GenericCredential
Info: diagnostic credential created in the credential store.
Info:  Create operation has completed successfully.

Then verify the store configuration as follows:

$ wlst $IAM_HOME/common/tools/configureSecurityStore.py -d /u01/app/mytest/user_projects/domains/idm_domain -c IAM -p weblogic123 -m validate

CLASSPATH=/u01/app/oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/mytest/jdk1.8.0_65/lib/tools.jar:/u01/app/oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/app/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/u01/app/oracle/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/u01/app/oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/u01/app/oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/app/oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/u01/app/oracle/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/lib/adfscripting.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/igfwlsthelp.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/u01/app/oracle/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar:/u01/app/oracle/Middleware/utils/config/10.3/config-launch.jar::/u01/app/oracle/Middleware/wlserver_10.3/common/derby/lib/derbynet.jar:/u01/app/oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/app/oracle/Middleware/wlserver_10.3/common/derby/lib/derbytools.jar::
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=128m; support was removed in 8.0

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Info: Data source is: opss-DBDS
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
May 03, 2016 11:23:58 PM oracle.security.jps.internal.policystore.ldap.LdapPolicyStore initial
INFO: Your Policy store schema is not upgraded to the latest version!
Please run the PSA (Patch Set Assistant) to upgrade the current schema version 11.1.1.7.0 to the latest version 11.1.1.7.2.
Or, you could continue to run in the backward-compatibility mode.
WLS ManagedService is not up running. Fall back to use system properties for configuration.
Info: Diagnostics data was saved to the credential store.
Info: Validate operation has completed successfully.