| Oracle® Fusion Middleware Upgrade Guide for Oracle WebCenter Interaction 10g Release 4 (10.3.3.0.0) for Windows Part Number E14551-07 |
|
|
View PDF |
| Oracle® Fusion Middleware Upgrade Guide for Oracle WebCenter Interaction 10g Release 4 (10.3.3.0.0) for Windows Part Number E14551-07 |
|
|
View PDF |
If you installed or upgraded Oracle WebCenter Interaction Identity Service for Microsoft Active Directory, perform the tasks in this chapter to complete the installation or upgrade.
This chapter includes the following sections:
This chapter also includes the section Advanced Configuration, which includes the following advanced configuration options for Oracle WebCenter Interaction Identity Service for Microsoft Active Directory:
Verify installation or upgrade by navigating to the installation verification log file. For example: install_dir\WebCenter_Interaction_Identity_Service_for_Active_Directory_InstallLog.log.
Note:
After you have imported the migration package into the portal, you can also run a diagnostic utility to verify connectivity among deployment components. To verify deployment, in a Web browser open the URL for the Remote Server diagnostic utility. For example: http://RemoteServer/adws/install/index.html
If you upgraded Oracle WebCenter Interaction Identity Service for Microsoft Active Directory perform the following steps:
If you previously edited the sessionstate timeout value in web.config, you must edit it again in the newly installed web.config file. For more information, see Editing the Web.config File.
For each Microsoft Active Directory authentication source you previously created in the portal, re-enter the authentication password. Each installation of Oracle WebCenter Interaction Identity Service for Microsoft Active Directory encrypts this password using a different key.
If you installed Oracle WebCenter Interaction Identity Service for Microsoft Active Directory for the first time, perform the steps in the following sections:
To edit virtual directory time-out and security settings:
Open Internet Information Services.
Expand the IIS hierarchy as necessary, right-click the adaws virtual directory, and select Properties.
In the Properties dialog box, click Configuration.
In the Application Configuration dialog box, click the Options tab. The ASP Script timeout can be left at the default of 90 seconds.
The Session timeout should be set to the same value as the timeout value specified in the web.config file. See Editing the Web.config File, for more information.
For synchronizations of large user directories, a timeout between 120 and 240 minutes is recommended.
Return to the Properties dialog box and click the Directory Security tab to edit anonymous access and authentication control. The account used for anonymous access can be either a local or domain user, but in most circumstances the local user IUSR is recommended.
When you are done, close the Properties dialog box.
The Windows installation directory settings are located in install_dir\ptadaws\10.3.3\webapp\adaws (for example, C:\Oracle\Middleware\wci\ptadaws\10.3.3\webapp\adaws).
The following security settings are the minimum requirements needed for Oracle WebCenter Interaction Identity Service for Microsoft Active Directory and logging to work correctly:
The local NETWORK SERVICE user must have Full Control rights. Allow NETWORK SERVICE and the SYSTEM group Full Control rights on the folder.
The account used for anonymous access, described in IIS Virtual Directory Settings, must have Read and Execute, List Folder Contents, and Read rights on the folder. Whether this is a domain user or the local IUSR user, this account will be a member of the Authenticated Users group. Allow Authenticated Users these rights on the folder.
Administrators will want to be able to view and modify the content of the folder, so allow the Administrators group Full Control rights on the folder.
After importing the pte file, you must create an authentication source:
In the Administrative Object Directory, open the Active Directory folder.
In the Create Object menu, click Authentication Source - Remote.
In the Choose Web Service dialog box, select Active Directory (the Web service created during import), and click OK.
On the Remote Active Directory Agent Configuration page, fill out the information specific to your Active Directory server. For more information, refer to online help.
Create a job to run your authentication source:
Open an administrative folder.
In the Create Object menu, click Job.
Complete the Job Editor. For more information, refer to online help.
After importing the pte file and creating a remote authentication source, you must create a remote profile source:
In the Administrative Object Directory, open the Active Directory folder.
In the Create Object menu, click Profile Source - Remote.
In the Choose Web Service dialog box, select Active Directory (2) (the Web service created during import), and click OK.
On the Remote Active Directory Configuration page, fill out the information specific to your Active Directory server. For more information, refer to online help.
Create a job to run your profile source:
Open an administrative folder.
In the Create Object menu, click Job.
Complete the Job Editor. For more information, refer to online help.
To import users, groups, or users' profile information, you must associate the authentication source or profile source with a job and run the job. To create and run a job, perform the following steps in the Oracle WebCenter Interaction Identity Service for Microsoft Active Directory folder of the portal's Administrative Object Directory:
From the Create Object menu, select Job.
Click Add Operation.
Choose the authentication source or profile source that you created.
Choose the scheduling values for the job and click Finish.
Name the job and click OK.
When you are finished creating the job, make sure the Oracle WebCenter Interaction Identity Service for Microsoft Active Directory folder is associated with an automation service. For assistance, see the online help under Select Utilities, then Automation Service.
This chapter describes the following advanced configuration options for Oracle WebCenter Interaction Identity Service for Microsoft Active Directory:
There are several configurable settings in the Web.config file that help you avoid some common error cases and define logging parameters. If you want to edit the Web.config file, it can be found in the following location: install_dir\ptadaws\10.3.3\webapp\adaws (for example, C:\Oracle\Middleware\wci\ptadaws\10.3.3\webapp\adaws\Web.config).
Within the Web.config file, locate the log4net section. The default settings for the parameters in this section should be sufficient in most cases, but there are several settings that you can change.
The log files created by log4net.dll are self-cleaning based on the following parameters:
MaximumFileSize - Specifies the maximum size a log file can be before it is rolled over into a new file if RollingStyle is set to Size.
MaxSizeRollBackups - Sets the number of rolled-over files that are saved.
Additional log4net- Settings are based on these parameters:
AppendToFile - Determines whether writes to the log file will be appended to the end of the file, or if the file will be overwritten. This should be set to true.
RollingStyle - Can be set to Size or Date.
StaticLogFileName - When set to true means that the active file name will always be ADAWSLog.txt. Rollover files will be renamed with .1, .2, .3, and so on extensions. This should be set to true.
With the default settings, the most disk space that will ever be used by logging is 100MB.
The log level can be set to INFO, ERROR, or FATAL. The default setting of INFO provides information that describes when the Web service is called and what parameters are provided, as well as logging any failures and their causes. The ERROR setting logs only failures. A setting of FATAL runs silently.
Even with the log level set to INFO, the logging for a single synchronization run never exceeds 10MB.
Note:
The log4net.dll handles all log file creation and deletion. Deleting rollover files that were created by log4net while it is still running causes log4net to fail, and furthermore causes the Oracle WebCenter Interaction Identity Service for Microsoft Active Directory to fail. Because of this, rollover files should not be deleted manually. If they are, restart IIS to ensure that log4net continues to run properly. The rollover files can be viewed and copied without any adverse affect.
When setting the logging practices, you should not delete or modify the rollover files. You should let log4net handle log file manipulation. The following three sections indicate the best settings for your environment.
If several synchronization jobs are run a day, you may wish to set the RollingStyle to Size, so that the individual log files do not grow too large. If synchronization jobs are only run once a day or less, you may chose to set the RollingStyle to Date. The log files do not grow too large because they contain one run and the log for a single run never splits between two files (unless the job runs past midnight). If you choose to rollover based on Date, the MaximumFileSize setting does not take affect.
If synchronization jobs are run past midnight, using Date causes the log for a single synchronization job to be split into two files (due to the rollover at midnight). It is therefore recommended to use Size and to set the MaximumFileSize based upon the typical log size for a single run.
The number of rollover files you set for the MaxSizeRollBackups value depends on how much disk space you choose to devote to log files. If RollingStyle is set to Size then it is easy to calculate the amount of space used. It is the MaximumFileSize you set multiplied by the MaxSizeRollBackups value. If you rollover based on Date then you must look at the average size of the log created by a single synchronization run to determine what the total disk space is. If synchronizations are run once a week, then setting MaxSizeRollBackups to 10 provides approximately two months of job histories. If synchronizations are run on a daily basis then you may wish to increase the number of rollover files to keep a history that exceeds ten days.
You may wish to keep a permanent archive of all the logs on another computer, or simply wish to keep a larger history than the one determined by the MaxSizeRollBackups setting. You can manually copy the files before the rollover limit is reached and they are overwritten. You could also set up a recurring task that copies files to another location. The frequency of this task is determined by the frequency of your synchronization runs, and your logging settings.
Note:
Do not delete or move the rollover files without restarting IIS.
During large synchronizations the portal must create database objects for all the users and groups returned by Oracle WebCenter Interaction Identity Service for Microsoft Active Directory. This can cause IIS session timeouts between the calls to GetGroups, GetUsers, and GetMembers.
This timeout error can be avoided by increasing the timeout value for the sessionState object. To avoid this large timeout from applying to both authentication calls and synchronization calls, create two directories for Oracle WebCenter Interaction Identity Service for Microsoft Active Directory. Make a copy of the directory and give it a different name.
In one of the files, set the timeout to a very large minute value for synchronization. In the other file, leave it at the default or decrease it to 5 minutes for authentication.
Create two virtual directories. One directory should point to the physical directory with the large timeout value. This directory is used for the synchronization URL. The other virtual directory points to the physical directory that contains the smaller timeout value. This virtual directory is used for the authentication URL.
For a complete discussion of IIS sessions, refer to the Release Notes.
Note:
The timeout setting in the Web.config should match the session timeout for the virtual directory. See IIS Virtual Directory Settings, for details on setting this timeout value.
There is the potential for an Active Directory server timeout during synchronizations of especially large query bases or difficult query filters. A Microsoft DirectoryServices.dll bug causes this timeout to occur. The effect of this bug is that no exception is thrown, and instead a partial list is returned. Refer to the Release Notes for a full discussion of the consequences. The Microsoft (MS hotfix number Q833789) patch is included in the Oracle WebCenter Interaction Identity Service for Microsoft Active Directory release package.
Once the patch is installed, DirectoryServices.dll correctly passes on the timeout exception to the Web.config file.
At the top, in the configSections, you must uncomment the line with section name = "system.directoryservices". This line also includes a PublicKeyToken value that must be set. This is the public key for your System.DirectoryServices.dll. To find this key, use the strong name tool sn.exe -T system.directoryservices.dll.
You must also uncomment the system.directoryservices section in the web.config file, and set waitForPagedSearchData to true. Remember that if you do this, Oracle WebCenter Interaction Identity Service for Microsoft Active Directory waits and blocks until all results are returned from the Active Directory server.
Occasionally, Active Directory reports an error when it tries to get the members of a specific group. This error is a result of the server not having access to specific groups from other domains, being temporarily unavailable, or a specific group having a bad membership attribute. Normally these Active Directory errors are caught and passed on by Oracle WebCenter Interaction Identity Service for Microsoft Active Directory. When the synchronization job encounters this error, it reports a failure and ends.
If you prefer that groups that cause an Active Directory error during GetMembers are simply skipped and allow the job to continue processing other groups, then set the GetMembersActionOnError key to Skip instead of Fail in the Web.config file.
|
 Copyright © 2011, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
