Skip Headers
Oracle® Access Manager Installation Guide
10g (10.1.4.3)

Part Number E12493-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

D Changing Directory Server Hosts

The information here explains how to reconfigure Oracle Access Manager to recognize a new directory server host. Topics include:

D.1 About Changing Directory Server Hosts

After installing and setting up Oracle Access Manager, you may need to change the host computer for the directory server with which Oracle Access Manager communicates. If this occurs, you need to reconfigure Oracle Access Manager to recognize the new directory server host.

Task overview: Changing Directory Server hosts includes

  1. Minimizing Down Time

  2. Preparing the New Directory Server Instance

  3. Reconfiguring the Primary Identity Server

  4. Reconfiguring the Policy Manager

  5. Reconfiguring the Access Server

D.2 Minimizing Down Time

When you reconfigure Oracle Access Manager to communicate with a new directory server instance (one that has moved to a different host), there will be some down time. You can minimize the downtime by configuring failover between Oracle Access Manager Web components and Access and Identity Servers.

Oracle Access Manager uses failover to provide uninterrupted service by redirecting requests to another server when the original request destination fails. Failover is accomplished by configuring a primary and secondary server and identifying specific parameters for the failover process. Oracle Access Manager Web components first attempt to connect to a primary server. If the primary server is unavailable, a connection attempt is made to a secondary server:

Task overview: Minimizing down time includes

  1. Configuring Failover between an Identity Server and WebPass

  2. Configuring Failover between an Access Server and WebGate

Completing the preceding tasks ensures that users will enjoy uninterrupted service when you reconfigure the primary Identity and Access Servers for the new directory server instance.

For additional information on failover, see the Oracle Access Manager Deployment Guide.

D.2.1 Configuring Failover between an Identity Server and WebPass

Setting up a secondary Identity Server ensures that the WebPass fails-over to the secondary Identity Server if the primary Identity Server is stopped while you reconfigure this to communicate with the new directory server instance.

To configure failover between an Identity Server and WebPass

  1. Confirm that you have a second Identity Server installed that meets the following requirements:

    • The second Identity Server must communicate with the existing directory server.

    • The second Identity Server must be associated with the existing WebPass as a secondary server.

    Note:

    If your Oracle Access Manager installation does not include a second Identity Server that meets the preceding requirements, you need to install one that does. See "About Installing Multiple Identity Servers".
  2. Configure failover between the secondary Identity Server and WebPass:

    1. From the Identity System Console select System Configuration, WebPass, Name, then click Modify.

      See the Oracle Access Manager Identity and Common Administration Guide for more information about configuring a WebPass.

    2. Complete the following information, then save your changes:

      Failover Threshold: Enter the required number of live connections from the Web component to its primary Access or Identity Server.

      Identity Server Timeout Threshold: Enter a Timeout Threshold to specify how long (in seconds) the Web component waits for a non-responsive server before it considers it unreachable and attempts to contact another.

      Sleep For (seconds): Enter the interval in seconds. After this interval, the WebGate verifies whether the number of valid connections equals the maximum number of connections configured

  3. Configure relevant directory profiles to use all Identity Servers:

    1. In the System Console, locate the list of LDAP Directory Server Profiles:

      From the Identity System Console select System Configuration, then click Directory Options

      The Configure Profiles page appears with Directory Server information as well as sections for Configure LDAP Directory Server Profiles and Configure RDBMS Profiles.

    2. Under the Configure LDAP Directory Server Profiles heading, select the name of the Identity Server profile:

      Configure LDAP Directory Server Profiles

      name

      The Modify Directory Server Profile page.

    3. In the Modify Directory Server Profile page, locate the "Used by" field and select "All Identity Servers".

    4. Save the change.

  4. Proceed with "Configuring Failover between an Access Server and WebGate" next.

D.2.2 Configuring Failover between an Access Server and WebGate

As with the Identity Server, setting up a secondary Access Server ensures that the WebGate fails-over to the secondary Access Server while the primary Access Server is stopped as you reconfigure this to communicate with the new directory server instance.

To configure failover between an Access Server and WebGate

  1. Confirm that you have a second Access Server installed that meets the following requirements:

    • The second Access Server must communicates with the existing directory server containing Oracle Access Manager configuration and policy data.

    • The second Access Server must be associated with the existing WebGate as a secondary server.

      Note:

      If your Oracle Access Manager installation does not include a second Access Server that meets the preceding requirements, you need to install one. See "About Installing Multiple Access Servers".
  2. Configure failover between the secondary Access Server and WebGate, as described in the Oracle Access Manager Deployment Guide:

    1. From the Access System Console, select Access System Configuration, AccessGate Configuration, All, Go, then click the desired name.

      The Details for the AccessGate page appears. See the Oracle Access Manager Access Administration Guide for more information about configuring a WebGate.

    2. Click the Modify button, then fill in the following information and save your changes:

      Failover Threshold: Enter the required number of live connections from the Web component to its primary Oracle Access Manager server.

      Access Server Timeout Threshold: Enter a value to specify how long (in seconds) the Web component waits for a non-responsive Oracle Access Manager server before it considers it unreachable and attempts to contact another.

      Sleep For (seconds): Enter the interval in seconds. After this interval, the WebGate verifies whether the number of valid connections equals the maximum number of connections configured

  3. Configure the relevant directory server profiles to use all Access Servers:

    1. In the Access System Console, locate the list of LDAP Directory Server Profiles:

      Access System Console, System Configuration, Server Settings

      The View Server Settings page appears with Directory Server information as well as sections for Configure LDAP Directory Server Profiles and Configure RDBMS Profiles.

    2. Under the Configure LDAP Directory Server Profiles heading, select the name of the Access Server profile:

      Configure LDAP Directory Server Profiles

      name

    3. On the Modify Directory Server Profile page, locate the "Used by" field and select the button beside "Access Servers", then select "All Servers" from the list. For example:

      Used By      o All components
                       o Identity Servers
                       o Access servers
                             All Servers
      
  4. Save the change.

  5. Proceed with "Preparing the New Directory Server Instance" next.

D.3 Preparing the New Directory Server Instance

You must ensure that the new directory server instance is an exact replica of the directory server instance with which Oracle Access Manager communicates. This means that the schema, user data, Oracle Access Manager configuration data, and policy data must match. In addition:

As you prepare the new directory server instance, pay close attention to the following:

To prepare the new directory server instance

  1. Export the original Oracle Access Manager configuration tree (o=oblix) from the existing directory server instance to an LDIF file using the ldapsearch command that follows; repeat for policy data if this is stored separately. For example:

    Note:

    Oracle Internet Directory LDAP tools have been modified to disable the less secure options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE (or 1). When you use -q (or -Q), you are prompted for the user password (or wallet password). Oracle recommends that you set the environment variable whenever possible.
    ldapsearch -h DS_hostname -p DS_port_number -b Configuration_DN (o=oblix...)
       -D bind_dn -q -s sub  (objectClass=*) > Oblix_Data_original.ldif
           Please enter bind password: 
           bind successful 
    

    where DS_hostname is the name of the computer hosting the new directory server instance (from which you export data); DS_port_number is the port on which the directory server is listening; bind_dn is the DN for Oracle Access Manager configuration data; password is the password for the bind DN; and Oblix_Data_original.ldif is the name of your configuration data ldif file.

  2. Remove the entries for DB Agents without deleting the container (obcontainerId=DBAgents). For example:

    obcontainerId=DBAgents,<Configuration DN>…
    
  3. Import the modified LDIF you created to the new directory server instance using the ldapmodify command that follows. For example:

    ldapmodify -h DS_hostname -p DS_port_number -D bind_dn -q -a -f
       Oblix_Data_modified.ldif
           Please enter bind password: 
           bind successful 
    

    where DS_hostname is the name of the computer hosting the new directory server instance (to which you would import the data); DS_port_number is the port on which the directory server is listening; bind_dn is the DN for Oracle Access Manager configuration data; password is the password for the bind DN; and Oblix_Data_modified.ldif is the name of your configuration data ldif file.

  4. Proceed to "Reconfiguring the Primary Identity Server" to add directory server profiles for the new directory server instance to the Identity System Console.

D.4 Reconfiguring the Primary Identity Server

The procedure that follows describes how to reconfigure the primary Identity Server, the one that communicates with the existing directory server instance, so that it communicates with the new directory server instance.

To configure the Identity Server to communicate with a new directory server instance

  1. From the Identity System Console, select System Configuration, Directory Profiles, then click Directory Server.

  2. On the Directory Server Configuration page, change the following information to reflect the new directory server instance, then save your changes:

    Machine*—new_hostname.domain.com

    Port Number*—new_host_port

    When you change fields marked with an asterisk (*), you must manually re-run the Identity System setup.

  3. Shut down all Identity Servers except the secondary server, if more than one are running.

  4. On the only running Identity Server host, open the setup.xml file:

    IdentityServer_install_dir\identity\oblix\config\setup.xml

  5. Remove the status parameter (or change the status parameter value from "done" to "incomplete"), then save the file. For example:

    <NameValPair ParamName="status" Value="incomplete"></NameValPair>
     
    
  6. Restart this Identity Server.

  7. From your Web browser, launch the Identity System Console.

    A Setup page appears, like the one for the initial Identity System setup.

  8. Click the Setup button and proceed through the setup process:

    1. Specify new directory server instance information, as follows:

      Host—The new user data directory server DNS hostname

      Port Number—The new user data directory server port number

      Note:

      If user data is stored separately from configuration data, a similar page appears where you can enter information for the configuration data directory. However, that sequence is not repeated here.
    2. Complete setup as described in Chapter 6, "Setting Up the Identity System".

  9. Restart the Identity Servers, which should pick up the new information.

  10. In the System Console, verify that a new database profile was created:

    1. Navigate to the Directory Profiles page:

      From the Identity System Console, select System Configuration, then click Directory Profiles

    2. In the Configure Profiles page, select the name of the relevant profile under the heading Configure LDAP Directory Server Profiles.

    3. In the Modify Directory Server Profile page, locate the name of the new Database Instance and confirm the new computer and port number.

      Note:

      You can proceed with creating any additional DB profiles that you need. See the Oracle Access Manager Identity and Common Administration Guide for details.
  11. Proceed with "Reconfiguring the Policy Manager" next.

D.5 Reconfiguring the Policy Manager

You need to reconfigure the Policy Manager to use the new directory server instance.

To reconfigure the Policy Manager for the new directory server instance

  1. View server settings in the Access System Console, as follows:

    From the Access System Console, select Access System Configuration, Server Settings, then click Directory Server

  2. On the Directory Server Configuration page, change the following information to reflect the new directory server instance, then save your changes:

    Machine*—new_hostname.domain.com

    Port Number*—new_host_port

    When you change fields marked with an asterisk (*), you must manually re-run the Policy Manager setup.

  3. Shut down all but one Policy Manager Web server if there is more than one running.

  4. On the only remaining running Policy Manager host and open the setup.xml file:

    PolicyManager_install\dir\oblix\config\setup.xml

  5. Remove the status parameter (or change the status parameter value from "done" to "incomplete"), and save the file. For example:

    <NameValPair ParamName="status" Value="incomplete"></NameValPair> 
    
  6. Restart the Policy Manager Web server.

  7. From your Web browser, launch the Access System Console.

    You will see a Setup page similar to the one that appears during the initial Access System setup. You need to specify details about the directory servers where user data, configuration data, and policy data are stored and asked to provide information about the directory server for each type of data.

  8. Initiate setup again and, when asked, specify the following:

    • If user data and configuration data are stored together, you are asked where policy data should be stored.

    • If the data is stored separately, you are asked to specify details for configuration data.

    For more information about this, see "Data Storage Requirements".

  9. When asked, specify the new directory server instance information, as follows:

    1. Specify new directory server instance information, as follows:

      Host—The new directory server DNS hostname

      Port Number—The new directory server port number

      Note:

      Depending on how your data is stored, you may see an additional screen for policy data. However, that sequence is not repeated here.
    2. Complete setup as described in "Setting Up the Policy Manager" .

  10. After completing setup, restart the other Policy Manager Web servers.

    The other Policy Managers should pick up the new information.

  11. Confirm the new Database Instance in the Access System Console, as follows:

    1. View server settings in the Access System Console, as follows:

      From the Access System Console select Access System Configuration, Server Settings.

    2. In the View Server Settings page, select the name of the relevant profile under the heading Configure LDAP Directory Server Profiles.

    3. In the Modify Directory Server Profile page, locate the name of the new Database Instance and confirm the new computer and port number.

      Note:

      You can proceed with creating any additional DB profiles that you need. See the Oracle Access Manager Identity and Common Administration Guide for details.
  12. Rerun Access Server setup, as described in "Reconfiguring the Access Server".

D.6 Reconfiguring the Access Server

After manually rerunning setup for the Policy Manager, you need to reconfigure the Access Server as indicated in the following discussion. For additional information on using the configureAAAServer tool, see Oracle Access Manager Access Administration Guide.

To reconfigure the Access Server for the new directory server instance

  1. Locate the configureAAAServer tool. For example:

    AccessServer_install_dir\access\oblix\tools\configureAAAServer

  2. Use the command that follows with the configureAAAServer tool to set up the Access Server. For example:

    configureAAAServer install -i AccessServer_install_dir/util/access

  3. Specify new information for the host on which the new directory server instance resides.

  4. Restart your Access Server.

  5. Confirm the new Database Instance in the Access System Console, as follows:

    1. View server settings in the Access System Console, as follows:

      Access System Console, System Configuration, Server settings

    2. On the View Server Settings page, select the name of the relevant profile under the heading Configure LDAP Directory Server Profiles.

    3. On the Modify Directory Server Profile page, locate the name of the new Database Instance and confirm the new computer and port number.

    You may see one more Database Profile created, in addition to the default, when the policy tree and the configuration tree are on the same directory server yet are using two different suffixes.

    Note:

    You can proceed with creating any additional DB profiles that you need. See the Oracle Access Manager Identity and Common Administration Guide for details.