This chapter describes how to deploy Identity and Access Management.
It contains the following sections:
This section introduces the deployment process.
There are eight stages to Deployment. These stages are:
preverify - This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured. This also checks for database connections for schemas and port availability,
install - This installs all of the software required by the installation. This also includes binary patching for all of the patches included in the repository.
preconfigure - This does the following:
Creates Oracle Unified Directory instances and seeds them with Users/Groups.
Creates the WebLogic domains and extends domains for various products
Creates OHS instance
Migrates the Policy Store to the database
configure - This does the following:
Starts managed servers as necessary
Associates Access Manager with Oracle Unified Directory
Configure Oracle Identity Manager
configure-secondary - This does the following:
Integrates Weblogic Domain with Webtier
Register webtier with domain
Integrate Access Manager and Oracle Identity Manager
postconfigure - This does the following:
Run Oracle Identity Manager Reconciliation
Configure UMS Mail Server
Generate Access Manager Keystore
Configure WebGates
startup - This starts up all components in the topology and applies any needed artifact patches.
validate - This performs a number of checks on the built topology to ensure that everything is working as it should be.
Each stage must be completed on all hosts in a specific order, as described in the next section. Each stage must be completed on each host in the topology before the next stage can begin. Failure of a stage will necessitate a cleanup and restart. See Appendix B, "Cleaning Up an Environment Before Rerunning IAM Deployment" for instructions.
You must process hosts in the following order:
LDAP Host 1
LDAP Host 2
Identity Governance Host 1
Identity Governance Host 2
Access Management Host 1
Access Management Host 2
Web Host 1
Web Host 2
This equates to the following order for hosts in this guide.
Exalogic Physical Processing Order
IAMHOST1
IAMHOST2
Exalogic Virtual Processing Order
LDAPHOST1
LDAPHOST2
OIMHOST1
OIMHOST2
OAMHOST1
OAMHOST2
WEBHOST1
WEBHOST2
Exalogic Physical with External OHS Processing Order
IAMHOST1
IAMHOST2
OHSHOST1
OHSHOST2
For information about the execution of automated LCM tool on the external OHS host, see Section 14.4, "Deploying Identity and Access Management Without a Common LCM_HOME."
The following sections describe the procedure for performing Deployment.
To deploy Identity and Access Management, run the runIAMDeployment.sh a number of times on each host in the topology from the following location:
IDMLCM_HOME/provisioning/bin
BEFORE embarking on the Deployment process, read this entire section. There are extra steps detailed below which must be performed during the process.
Notes:
You must use the SAME version of the Deployment profile (IDMLCM_HOME/provisioning/bin/provisioning.rsp) on all targets and all hosts in the deployment.
You MUST run each command on each host in the topology, in the specified order, before running the next command.
Before running the Deployment tool, set the following environment variable.:
Set JAVA_HOME to: REPOS_HOME/jdk6
The commands you must run are:
runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preverify runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target install runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preconfigure runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure-secondary runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target postconfigure runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target startup runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target validate
It is important that you take a backup of the file systems and databases at the following points:
Prior to starting Deployment.
At the end of the installation phase.
Upon completion of Deployment
It is not supported to restore a backup at any phase other than those three.
To help keep track of the Deployment process, print this check list from the PDF version of this guide. Run each stage on the hosts shown, and add a check mark to the corresponding row when that run is complete.
| Deployment Stage | Host | Complete |
|---|---|---|
| Preverify | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Install | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Preconfigure | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Configure | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Configure Secondary | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Post Configure | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Startup | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Validate | IAMHOST1 | |
| IAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 |
| Deployment Stage | Host | Complete |
|---|---|---|
| Preverify | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Install | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Preconfigure | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Configure | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Configure Secondary | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Post Configure | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Startup | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 | ||
| Validate | LDAPHOST1 | |
| LDAPHOST2 | ||
| OIMHOST1 | ||
| OIMHOST2 | ||
| OAMHOST1 | ||
| OAMHOST2 | ||
| WEBHOST1 | ||
| WEBHOST2 |
The previous deployment instructions assume that the LCM_HOME directory is shared across every host in the topology for the duration of the deployment process.
If your organization does not permit this sharing, you can still run the deployment by making LCM_HOME available locally on every host. The following extra manual steps are required.
Create a local version of the LCM_HOME directory, including the software repository.
Copy the Deployment Response File, responsefilename_data folder, and Summary created in Section 13.18, "Summary" to the same location on each of the hosts.
The deployment tool relies on the contents of the directories located under LCM_HOME/provisioning to determine what stages have run successfully. Therefore, after every command, copy the contents of this directory to every node before executing any runIAMDeployment.sh commands.
If LCM_HOME is not shared to the directory hosts, copy LCM_HOME/internal from OAMHOST1 to LDAPHOST1 and LDAPHOST2 before running preconfigure on the LDAPHOSTs.
LCM_HOME/internal is created after the install phase on the OAMHOSTs.
Before running preconfigure on OIMHOST1, copy LCM_HOME/keystores from LDAPHOST1 to OAMHOST1.
If LCM_HOME is not mounted on WEBHOST1 and WEBHOST2 (or OHSHOST1/OHSHOST2 in a topology with external Oracle HTTP Servers), before execution of the postconfigure phase on WEBHOST1, copy LCM_HOME/keystores/webgate_artifacts from OAMHOST1 to WEBHOST1 and WEBHOST2
LCM_HOME/keystores/webgate_artifacts is created after the configure-secondary phase on OAMHOST1.