Skip Headers
Oracle® Application Server High Availability Guide
10g (10.1.4.0.1)
Part Number B28186-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

3 Active-Active Topologies

This chapter describes the active-active, or OracleAS Cluster (Identity Management), topologies. This chapter contains the following sections:

3.1 Types of Active-Active Topologies

For Oracle Application Server, there are two active-active topologies:

In active-active topologies all the nodes in the topology are active, meaning that they are ready to process requests from clients. An external load balancer directs requests to these nodes. To access the components running on these nodes, clients use the appropriate virtual server name configured on the load balancer. For example, clients trying to access OracleAS Single Sign-On or Oracle Delegated Administration Services use the virtual server name for the HTTP protocol, while clients trying to access Oracle Internet Directory use the virtual server name for the LDAP protocol.

The main difference between the two active-active topologies is that in the distributed topology the OracleAS Single Sign-On and Oracle Delegated Administration Services components run on one set of nodes, and Oracle Internet Directory and Oracle Directory Integration Platform run on a different set of nodes. In the OracleAS Cluster (Identity Management) topology, all these components run on the same set of nodes.

For an overview of these topologies, see Chapter 2, "Overview of Oracle Application Server High Availability Topologies".

Oracle Directory Integration Platform and Replication Server Notes

In active-active topologies, there is only one active instance of Oracle Directory Integration Platform server (odisrv) and the replication server (oidrepld) running at any given time. In other words, they run on only one node, although you install them on multiple nodes in an active-active topology.

If the node running odisrv or oidrepld fails, OID Monitor detects the failure and starts them up on another node. See Section 3.7.2, "OID Monitor Details" for details.

OracleAS Certificate Authority Not Supported

OracleAS Certificate Authority is not supported in OracleAS Cluster (Identity Management) topologies. You can install and run OracleAS Certificate Authority separately.

Special Requirements

To run OracleAS Cluster (Identity Management) topologies, you need to meet the following special requirements:

Installation of the OracleAS Cluster (Identity Management) topologies is covered in the Oracle Application Server Installation Guide.

3.1.1 OracleAS Cluster (Identity Management) Topology

This topology, shown in Figure 3-1, consists of two main tiers:

  • On one tier, you run the Oracle Identity Management components (Oracle Internet Directory, OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration Platform) on two or more nodes. Each node runs the Oracle Identity Management components mentioned above.

    These nodes provide active-active availability for Oracle Identity Management services. OracleAS Single Sign-On and Oracle Delegated Administration Services run on a single OC4J_SECURITY instance in each Oracle home. Oracle Internet Directory also runs on each node.

    A load balancer manages traffic to these nodes. To access the components running on these nodes, clients use the appropriate virtual server name configured on the load balancer.

    The nodes running the Oracle Identity Management components should be functionally equivalent.

    OracleAS Single Sign-On and Oracle Delegated Administration Services are configured in an OracleAS Cluster. This means that they are configured identically on all nodes. For example, if you have two nodes, OracleAS Single Sign-On instances running on both nodes have the same configuration, and all Oracle Delegated Administration Services instances have the same configuration. The load balancer can send requests to either instance. If you want to modify the Oracle Delegated Administration Services or OracleAS Single Sign-On configuration, see Section 3.8.5, "Changing Configuration for Components in Active-Active Topologies".

  • On another tier, you install and run the OracleAS Metadata Repository on an existing database. This database should already be configured for high availability, such as an Oracle RAC database.

You configure the load balancer with three virtual server names, as shown in Figure 3-1:

  • one for OracleAS Single Sign-On and Oracle Delegated Administration Services. Clients use this virtual server name to access these components. For example, in Figure 3-1, this virtual server name is sso.mydomain.com.

  • one for Oracle Internet Directory. LDAP and JNDI requests from middle tiers and OracleAS Single Sign-On use this virtual server name to access Oracle Internet Directory. For example, in Figure 3-1, this virtual server name is oid.mydomain.com.

  • one for the middle tiers. Clients use this virtual server name to access the middle tiers. In Figure 3-1, this virtual server name is mt.mydomain.com.

OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Internet Directory access the OracleAS Metadata Repository database through Oracle Net load balancing. OracleAS Single Sign-On establishes connection pools to access the database. A connection in the pool can be to any of the database instances in the Oracle RAC system.

Figure 3-1 OracleAS Cluster (Identity Management) Topology

Description of Figure 3-1 follows
Description of "Figure 3-1 OracleAS Cluster (Identity Management) Topology"

 

3.1.2 Distributed OracleAS Cluster (Identity Management) Topology

This topology is a variation of the OracleAS Cluster (Identity Management) Topology. Instead of running all the Oracle Identity Management components on each of the OracleAS Cluster (Identity Management) nodes, you separate out OracleAS Single Sign-On and Oracle Delegated Administration Services to run them on another set of OracleAS Cluster (Identity Management) nodes. Figure 3-2 shows a diagram of the distributed OracleAS Cluster (Identity Management) topology.

The advantage of the distributed topology is that you can deploy the nodes running OracleAS Single Sign-On and Oracle Delegated Administration Services in the DMZ, and deploy the nodes running Oracle Internet Directory inside your intranet, protected by the firewalls, as shown in Figure 3-2.

This topology provides flexibility in placing your components. In this topology:

  • You install the OracleAS Metadata Repository in an existing high availability database.

  • Oracle Internet Directory and Oracle Directory Integration Platform run on active-active nodes. Typically these nodes are in the same tier as the database.

    These nodes are fronted by a load balancer which directs requests to them. To access Oracle Internet Directory, clients use the LDAP virtual server name configured on the load balancer.

  • OracleAS Single Sign-On and Oracle Delegated Administration Services are configured in an OracleAS Cluster. This means that they are configured identically on all nodes. For example, if you have two nodes, OracleAS Single Sign-On instances running on both nodes have the same configuration, and all Oracle Delegated Administration Services instances have the same configuration. The load balancer can send requests to either instance. If you want to modify the Oracle Delegated Administration Services or OracleAS Single Sign-On configuration, see Section 3.8.5, "Changing Configuration for Components in Active-Active Topologies".

    The nodes running OracleAS Single Sign-On and Oracle Delegated Administration Services are active-active nodes. These nodes are placed in the DMZ.

    OracleAS Single Sign-On and Oracle Delegated Administration Services run in the OC4J_SECURITY instance on each node.

    These nodes are also fronted by a load balancer which directs requests to them. Oracle Application Server middle tiers and clients access OracleAS Single Sign-On and Oracle Delegated Administration Services through the HTTP virtual server name configured on this load balancer (sso.mydomain.com in Figure 3-2).

Running Middle Tiers on the Same Tier as OracleAS Single Sign-On / Oracle Delegated Administration Services

You can run Oracle Application Server middle tiers on different nodes on the same tier as OracleAS Single Sign-On and Oracle Delegated Administration Services (see Figure 3-2). If there is no firewall separating the middle tier and OracleAS Single Sign-On and Oracle Delegated Administration Services, you can use the same load balancer to load balance the middle tiers also. In this case, you need to configure the load balancer with two virtual server names: one for clients to access OracleAS Single Sign-On and Oracle Delegated Administration Services (sso.mydomain.com in Figure 3-2) and one for clients to access the middle tiers (mt.mydomain.com in Figure 3-2).

Figure 3-2 Distributed OracleAS Cluster (Identity Management) Topology

Description of Figure 3-2 follows
Description of "Figure 3-2 Distributed OracleAS Cluster (Identity Management) Topology"

3.2 Load Balancer Types and Requirements

In OracleAS Cluster (Identity Management) and distributed OracleAS Cluster (Identity Management) topologies, you need a load balancer to load balance requests among many Oracle Application Server instances.

When several Oracle Application Server instances are grouped to work together, they present themselves as a single virtual entry point to the system, which hides the multiple instance topology from the client. External load balancers can send requests to any Oracle Application Server instance in a cluster, as any instance can service any request.

Active-active topologies are scalable: you can increase the capacity of the system by introducing additional Oracle Application Server instances to the topology. These instances can be installed on separate nodes to allow for redundancy in case of node failure.

Load balancing also improves availability by routing requests to the most available instances. If one instance goes down, or is particularly busy, the external load balancer can send requests to another active instance.


Note:

You cannot use a load balancer to load balance requests to Oracle Access Manager servers because these servers use a proprietary protocol.

In Figure 3-1 and Figure 3-2, you can see the location of the load balancer in the topologies.

3.2.1 Load Balancer Types

You can use different types of external load balancers with Oracle Application Server. Table 3-1 describes the different types.

Table 3-1 Types of External Load Balancers

Load Balancer Type Description

Hardware load balancer

Hardware load balancing involves placing a hardware load balancer in front of a group of Oracle Application Server instances or OracleAS Web Cache. The hardware load balancer routes requests to the Oracle HTTP Server or OracleAS Web Cache instances in a client-transparent fashion.

Software load balancer

Software load balancer involves running some process that intercepts the calls to Oracle Application Server and routes those requests to redundant components.

Lvs network load balancer for Linux

With some Linux operating systems, you can use the operating system to perform network load balancing.

Windows Network Load Balancer (applicable to Windows version of Oracle Application Server)

With some Windows operating systems, you can use the operating system to perform network load balancing. For example, with Microsoft Advanced Server, the NLB functionality enables you to send requests to different machines that share the same virtual IP or MAC address. The servers themselves to do not need to be clustered at the operating system level.

3.2.2 Load Balancer Requirements

The Oracle Identity Management tier uses an external load balancer. This external load balancer should have the following features:

  • virtual server name and port configuration

  • process failure detection

  • persistence configuration for HTTP URLs

Table 3-2 describes these features.

If you are using the same external load balancer for middle tiers, you may need additional features depending on which middle tier components you are running.

Oracle does not provide external load balancers. You can get external load balancers from other companies.

To ensure that your external load balancer can work with Oracle Application Server, check that your external load balancer meets the requirements listed in Table 3-2.

Note that you may not need all the requirements listed in the table. The requirements that you need depend on the topology being considered and on the Oracle Application Server components that are being load balanced.

Table 3-2 External Load Balancer Requirements

External Load Balancer Requirement Description

Virtual servers and port configuration

A virtual server is a logical address created in a load balancer. The virtual server maps to a group of resources that are load balanced for a request.

You need to be able to create virtual server names and ports on your load balancer, and the virtual server names and ports must meet the following requirements:

  • The load balancer should allow configuration of multiple virtual servers. For each virtual server, the load balancer should allow configuration of traffic management on more than one port. For example, for OracleAS Cluster (Identity Management), the load balancer needs to be configured with a virtual server and port for HTTP / HTTPS traffic, and separate virtual servers and ports for LDAP and LDAPS traffic.

  • The virtual server names must be associated with IP addresses and be part of your DNS. Clients must be able to access the external load balancer through the virtual server names.

Persistence (also called "stickiness" by some load balancers)

Persistence refers to the load balancer's ability to establish an identifier for a connection and, based on that identifier, route all subsequent connections from the same client to the same destination host.

Some components of Oracle Application Server use persistence in an external load balancer. Here are some examples:

  • For Oracle Internet Directory, do not set a persistence setting for the external load balancer.

  • For OracleAS Single Sign-On, a persistence setting is not required. However, you may set a persistence compatible with Oracle HTTP Server.

Resource monitoring / port monitoring / process failure detection

You need to set up the external load balancer to detect service and node failures (through notification or some other means) and to stop directing non-Oracle Net traffic to the failed node. If your external load balancer has the ability to automatically detect failures, you should use it.

For example, for OracleAS Cluster (Identity Management), specific components that the external load balancer should monitor are Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services. To monitor these components, set up monitors for the following protocols:

  • LDAP and LDAPS listen ports

  • HTTP and HTTPS listen ports (depending on the deployment type)

These monitors should use the respective protocols to monitor the services. That is, use LDAP for the LDAP port, LDAP over SSL for the LDAP SSL port, and HTTP/HTTPS for the Oracle HTTP Server port. If your external load balancer does not offer these monitors, consult your external load balancer documentation for the best method of setting up the external load balancer to automatically stop routing incoming requests to a service that is unavailable.

Network Address Translation (NAT)

The load balancer should have the capability to perform network address translation (NAT) for traffic being routed from clients to the Oracle Application Server nodes. This is specifically required for OracleAS Portal deployments, where the load balancer should allow enabling NAT for requests originating from within the OracleAS Portal node to the load balancer virtual server (for example, requests such as Parallel Page Engine (PPE) loopbacks and cache invalidation requests).

Fault tolerant mode

It is highly recommended that you configure the load balancer to be in fault-tolerant mode.

Other

It is highly recommended that you configure the load balancer virtual server to return immediately to the calling client when the backend services to which it forwards traffic are unavailable. This is preferred over the client disconnecting on its own after a timeout based on the TCP/IP settings on the client machine because the timeout may be set to a long period of time.

 

3.3 Installation Highlights

The Oracle Application Server Installation Guide provides details on how to install the OracleAS Cluster (Identity Management) and distributed OracleAS Cluster (Identity Management) topologies. Some highlights:

3.4 LDAP Port Numbers on the Load Balancer and Oracle Internet Directory

In an OracleAS Cluster (Identity Management) topology, the port number used by all the Oracle Internet Directory instances must be the same. You should use the staticports feature during installation to enforce this. For example, you can configure the SSL port to be 636 and the non-SSL port to be 389 for all the Oracle Internet Directory instances in the topology.

The LDAP ports (SSL and non-SSL) configured on the load balancer can be different from the corresponding SSL and non-SSL Oracle Internet Directory ports. However, managing the components might be easier if you use the same port numbers for Oracle Internet Directory and the LDAP ports on the load balancer.

When managing the Oracle Internet Directory instances, using tools such as the Oracle Directory Manager tool or command-line tools, you typically need to specify connect information such as the name of the host running Oracle Internet Directory and the Oracle Internet Directory port number. If you have configured different LDAP port numbers on the load balancer and on Oracle Internet Directory itself, be sure you use the appropriate hostname:port number pair (that is, use the LDAP virtual hostname with the LDAP port configured on the load balancer, or use the physical hostname with the physical port number).

3.5 Backup and Recovery

You can back up and recover files for all the nodes in the OracleAS Cluster (Identity Management) and distributed OracleAS Cluster (Identity Management) topologies using the OracleAS Backup and Recovery Tool. This tool is described in the Oracle Application Server Administrator's Guide.

3.6 OracleAS Metadata Repository Tier Details

The nodes on this tier run an Oracle database configured for high availability, such as an Oracle RAC database or a cold failover cluster database. You manage this database as you would any other Oracle database.

If you installed the OracleAS Metadata Repository in an existing Oracle RAC database, node failures are managed by Oracle Net and Oracle RAC. Oracle Net redirects requests to remaining active database instances if any of the other database instances fail.

If you installed the OracleAS Metadata Repository in a cold failover cluster database, node failure is performed by switching the virtual hostname and IP to the standby node and starting the database processes on that node. Section 7.1.5, "Failing Over a Cold Failover Cluster Database" provides instructions on how to accomplish these tasks.

3.7 Oracle Identity Management Tier Details

This section contains the following topics:

3.7.1 Protection Against Process and Node Failures

OPMN and the load balancer protect against process failures and node failures.

OPMN runs on each node to provide process management, monitoring, and notification services for OC4J_SECURITY, Oracle HTTP Server, and Oracle Internet Directory processes. If any of these processes fails, OPMN detects the failure and attempts to restart the process.

For managing the Oracle Internet Directory processes, OPMN manages the OID Monitor process ("oidmon"), which in turn manages the oidldapd, oidrepld, and odisrv Oracle Internet Directory processes. If oidldapd, oidrepld, or odisrv fails, oidmon attempts to restart it locally. Similarly, if oidmon fails, OPMN tries to restart it locally.

If the restart is unsuccessful (for example, if OPMN fails to restart oidmon, or if oidmon fails to restart the Oracle Internet Directory processes), the load balancer detects the failure (usually through a non-response timeout) and directs requests to an active process running on another node in the topology.


Note:

Only one odisrv process and one oidrepld process can be active at any time in an OracleAS Cluster (Identity Management) or distributed OracleAS Cluster (Identity Management) topology. However, you can have multiple oidldapd processes running in the same cluster. See the Oracle Internet Directory Administrator's Guide for details.

If OC4J_SECURITY is down on a node, the active Oracle HTTP Servers direct traffic to a surviving OC4J_SECURITY instance (this is by virtue of the fact that they are clustered). If Oracle HTTP Server is down on a node, then the surviving Oracle HTTP Servers on the other nodes service the requests.

If a node fails, the load balancer detects the failure and redirects requests to a remaining active node. Because each node provides identical services as the other nodes, all requests can be fulfilled by the remaining active nodes.


Note:

If a node goes down or if the processes on a node are brought down due to planned maintenance, you should reconfigure the load balancer not to send traffic to this node.

For information on running Oracle Internet Directory in an OracleAS Cluster (Identity Management) topology, and how directory replication can provide additional high availability, see Chapter 10, "Deploying Identity Management with Multimaster Replication".

3.7.2 OID Monitor Details

In the OracleAS Cluster (Identity Management) and distributed OracleAS Cluster (Identity Management) topologies, the OID Monitor ("oidmon") on each node reports to the other nodes that it is running by sending a message to the Oracle Database every 60 seconds. When it does this, it also polls the database server to verify that all other directory server nodes are also running. If an OID Monitor on one of the nodes has not reported that it is running after a configurable amount of time, the other directory server nodes regard it as having failed. At this point, the following occurs on one of the other nodes that are still running:

  1. The OID Monitor on that node brings up the processes that were running on the failed node.

  2. The Oracle Directory Integration Platform server (odisrv) and the replication server (oidrepld) on that node continue processing the operations that were previously underway on the failed node.

    The directory server itself (oidldapd) will not be failed over to the other node. This is because oidldapd by nature runs in an active-active mode. On the other hand, the Oracle Directory Integration Platform server and the replication server run in an active-passive mode, in the sense that there is only one instance of these servers running at any given time.

  3. The OID Monitor on that node logs that it has brought up the processes that were previously running on the failed node.

Figure 3-3 and the accompanying text exemplify this process on two nodes, Node A and Node B.

Figure 3-3 Oracle Internet Directory Failover Process

This illustration is described in the text.

The Oracle Internet Directory failover process follows these steps (shown in Figure 3-3):

  1. Every 60 seconds, the OID Monitor on Node A reports that it is running by sending a message to the database.

  2. The OID Monitor on Node B polls the database to learn which, if any, of the other nodes may have failed.

  3. If the OID Monitor on Node B learns that Node A has not responded for the configured amount of time (see below for how this is set), it regards Node A as having failed. It then retrieves from the database the necessary information about the Oracle Internet Directory servers that were running on Node A. In this example, it learns that the directory replication server had been running on Node A.

    The failover time is specified in the orclfailoverenabled attribute in the DSA config entry ("cn=dsaconfig, cn=configsets, cn=oracle internet directory"). By default, the orclfailoverenabled attribute is set to 5; the value is specified in minutes.

    If your deployment requires a longer failover time, then you need to increase the value of the orclfailoverenabled attribute.

    If you set the orclfailoverenabled attribute to 0, it means that Oracle Internet Directory processes will not fail over to another node. For example, assume Node A is running a directory replication server and its orclfailoverenabled attribute is set to 0. If Node A fails, the OID Monitor on Node B will not start up the directory replication server on Node B because on Node A, the orclfailoverenabled attribute is set to 0.

  4. Because a directory replication server was not already running on Node B, the OID Monitor on Node B starts a directory replication server that corresponds to the directory replication server previously running on Node A.


See Also:

  • "Oracle Internet Directory Architecture" in the chapter "Directory Concepts and Architecture" in Oracle Internet Directory Administrator's Guide for information about directory server nodes, directory server instances, and the kinds of directory metadata stored in the database

  • "Process Control" in the chapter "Directory Administration Tools" in the Oracle Internet Directory Administrator's Guide

3.7.2.1 Normal Shutdown vs. Process Failure

Unlike process failures, normal shutdowns are not treated as failovers. After a normal shutdown of Node A, the OID Monitor on Node B does not start the Oracle Internet Directory processes automatically on Node B. Here are two examples to show the differences:

Remember that in OracleAS Cluster (Identity Management) and distributed OracleAS Cluster (Identity Management) topologies, only one host runs the Oracle Directory Integration Platform server process (odisrv).

Example of a process failure: Assume Node A runs the directory replication server (oidrepld) and/or the Oracle Directory Integration Platform server (odisrv). If Node A fails, OID Monitor on Node B starts these processes on Node B after the configured time set in the orclfailoverenabled attribute. When Node A is restarted, the OID Monitor on Node A starts the servers automatically and requests the OID Monitor on Node B to stop the servers that were started on Node A.

Note that if the orclfailoverenabled attribute is set to 0, the OID Monitor on Node B will not start up any of the processes that were running on Node A. The orclfailoverenabled attribute is described in Section 3.7.2, "OID Monitor Details".

Example of a normal shutdown for odisrv: If you stop odisrv normally (for example, using the oidctl command), it is not considered a failure. This means that the odisrv process will not be started up automatically on the other node. You will need to start it up manually using the oidctl command. For information on starting odisrv through the oidctl command, see section 6.3.5, "Configuring an Oracle Directory Integration Platform Server Instance", in the Oracle Internet Directory Administrator's Guide.

3.7.2.2 Time Discrepancy Between Nodes

The time on all nodes should be synchronized using Greenwich Mean Time so that there is a discrepancy of no more than 250 seconds between them.

If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes, the OID Monitor on the node that is behind stops all servers on its node. To correct this problem, synchronize the time on the node that is behind in time. The OID Monitor automatically detects the change in the system time and starts the Oracle Internet Directory servers on its node.

3.7.3 Oracle Internet Directory Metadata Synchronization

In OracleAS Cluster (Identity Management) and distributed OracleAS Cluster (Identity Management) topologies, it is necessary to synchronize Oracle Internet Directory metadata—for example, definitions of object classes, attributes, matching rules, ACPs, and password policies—on all the directory server nodes. Figure 3-4 and the accompanying text exemplify the process in which directory server metadata is synchronized between two directory server nodes, Host A and Host B, in an OracleAS Cluster (Identity Management) topology.

Figure 3-4 Oracle Internet Directory Metadata Synchronization Process

This illustration is described in the text.

In Figure 3-4, directory server metadata in an OracleAS Cluster (Identity Management) topology is synchronized as follows:

  1. On Host A, the directory server writes metadata changes to the shared memory on that same host.

  2. OID Monitor on Host A polls the shared memory on that same host. When it discovers a change in the metadata, it retrieves the change.

  3. OID Monitor sends the change to the Oracle Database, which is the repository for the directory server metadata in the OracleAS Cluster (Identity Management) environment.

  4. OID Monitor on Host B polls the Oracle Database for changes in directory server metadata, and retrieves those changes.

  5. OID Monitor on Host B sends the change to the shared memory on that same host.

  6. The directory server on Host B polls the shared memory on that same host for metadata changes. It then retrieves and applies those changes.

3.8 Some Useful Procedures

This section describes the following procedures:

3.8.1 Using Application Server Control Console

You can use Application Server Control Console to manage the Oracle Identity Management components in OracleAS Cluster (Identity Management) topologies. To access Application Server Control Console for the OracleAS Cluster (Identity Management) nodes, you use the physical hostname in the Application Server Control Console URL, for example: http://im1.mydomain.com:1156 (assuming Application Server Control is running on port 1156).

For the OracleAS Metadata Repository, you manage the database using database management tools, such as Oracle Enterprise Manager.

3.8.2 Starting the Components

The steps are slightly different, depending on whether you are running the OracleAS Cluster (Identity Management) or the distributed OracleAS Cluster (Identity Management) topology.

3.8.2.1 For the OracleAS Cluster (Identity Management) Topology

Start up the processes on the different tiers in the following order:

  1. Start up the OracleAS Metadata Repository database.

  2. On each node in the OracleAS Cluster (Identity Management), run OPMN to start up the Oracle Identity Management components:

    ORACLE_HOME/opmn/bin/opmnctl startall

    ORACLE_HOME refers to the Oracle Identity Management's Oracle home.

  3. On each node, start up Application Server Control.

    ORACLE_HOME/bin/emctl start iasconsole

3.8.2.2 For the Distributed OracleAS Cluster (Identity Management) Topology

Start up the processes on the different tiers in the following order:

  1. Start up the OracleAS Metadata Repository database.

  2. On each node in the Oracle Internet Directory tier:

    1. Start up Oracle Internet Directory. You can do this using OPMN.

      ORACLE_HOME/opmn/bin/opmnctl startall

      ORACLE_HOME refers to the directory where you installed Oracle Internet Directory.

    2. Start up Application Server Control.

      ORACLE_HOME/bin/emctl start iasconsole

  3. On each node in the OracleAS Single Sign-On and Oracle Delegated Administration Services tier:

    1. Start up OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle HTTP Server. You can do this using OPMN.

      ORACLE_HOME/opmn/bin/opmnctl startall

      ORACLE_HOME refers to the OracleAS Single Sign-On / Oracle Delegated Administration Services Oracle home.

    2. Start up Application Server Control.

      ORACLE_HOME/bin/emctl start iasconsole

3.8.3 Stopping the Components

The steps are slightly different, depending on whether you are running the OracleAS Cluster (Identity Management) or the distributed OracleAS Cluster (Identity Management) topology.

3.8.3.1 For the OracleAS Cluster (Identity Management) Topology

Stop the processes on the different tiers in the following order:

  1. On each node in the OracleAS Cluster (Identity Management), run OPMN to stop the Oracle Identity Management components:

    ORACLE_HOME/opmn/bin/opmnctl stopall

    ORACLE_HOME refers to the Oracle Identity Management's Oracle home.

  2. Stop the OracleAS Metadata Repository database.

  3. Stop Application Server Control.

    ORACLE_HOME/bin/emctl stop iasconsole

3.8.3.2 For the Distributed OracleAS Cluster (Identity Management) Topology

Stop the processes on the different tiers in the following order:

  1. On each node in the OracleAS Single Sign-On and Oracle Delegated Administration Services tier:

    1. Stop OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle HTTP Server. You can do this using OPMN.

      ORACLE_HOME/opmn/bin/opmnctl stopall

      ORACLE_HOME refers to the OracleAS Single Sign-On / Oracle Delegated Administration Services Oracle home.

    2. Stop Application Server Control.

      ORACLE_HOME/bin/emctl stop iasconsole

  2. On each node in the Oracle Internet Directory tier:

    1. Stop Oracle Internet Directory. You can do this using OPMN.

      ORACLE_HOME/opmn/bin/opmnctl stopall

      ORACLE_HOME refers to the directory where you installed Oracle Internet Directory.

    2. Stop Application Server Control.

      ORACLE_HOME/bin/emctl stop iasconsole

  3. Stop the OracleAS Metadata Repository database.

3.8.4 Checking the Status of Oracle Identity Management Components

Use the following commands to check the status of Oracle Identity Management components:

  1. Check the status of OPMN and OPMN-managed processes:

    ORACLE_HOME/opmn/bin/opmnctl status

  2. Check the status of Application Server Control.

    ORACLE_HOME/bin/emctl status iasconsole

  3. Check the status of Oracle Internet Directory:

    ORACLE_HOME/ldap/bin/ldapcheck

    Verify that you can log in to Oracle Internet Directory:

    ORACLE_HOME/bin/oidadmin

    Use the following login and password:

    Login: orcladmin

    Password: <orcladmin_password>

    After installation, the orcladmin_password is the same as the ias_admin password.

  4. Verify you can log in to OracleAS Single Sign-On:

    http://host:HTTP_port/pls/orasso

    For host, you specify the virtual hostname.

    Login: orcladmin

    Password: orcladmin_password

  5. Verify you can log in to Oracle Delegated Administration Services:

    http://host:HTTP_port/oiddas

    For host, you specify the virtual hostname.

    Login: orcladmin

    Password: orcladmin_password

3.8.5 Changing Configuration for Components in Active-Active Topologies

The OracleAS Single Sign-On and Oracle Delegated Administration Services instances in active-active topologies need to be configured identically. This means that if you change the configuration for one instance, you also need to make the same change in all the other instances in the topology.

To ensure that configuration stays consistent across the topology, note the following:

  • After you make a configuration change to OPMN, Oracle HTTP Server, or OC4J_SECURITY, run the following DCM command to upload the configuration information to the OracleAS Metadata Repository and propagate the change to all instances in the OracleAS Clusters.

    ORACLE_HOME/dcm/bin/dcmctl updateConfig

  • Configuration changes to Oracle Internet Directory are not automatically managed across the OracleAS Clusters. If you make changes to configuration files, primarily the wallet files, you need to make the same changes manually to all nodes in the OracleAS Clusters.

3.8.6 Changing the Password of the ODS Schema (Used by Oracle Internet Directory)

If you change the password to the Oracle Internet Directory-designated database, then you must update each of the other nodes in the OracleAS Cluster (Identity Management) topology. You can change the ODS database user account password using the oidpasswd utility.

To change the ODS database user password, invoke the following command on one of the Oracle Internet Directory nodes:

oidpasswd connect=db-conn-str change_oiddb_pwd=true

On all other Oracle Internet Directory nodes, invoke the following command to synchronize the password wallet:

oidpasswd connect=db-conn-str create_wallet=true

Note:

If you are running Oracle Internet Directory in an Oracle RAC environment, see Section 9.6, "About Changing the ODS Password on an Oracle RAC System". In an Oracle RAC environment, you have to ensure that the oidpwdlldap1 file is the same on all your Oracle RAC nodes.


See Also:

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us