PK
?oa, mimetypeapplication/epub+zipPK ? iTunesMetadata.plistt
The Oracle home directories shown in this figure are the Oracle homes for the components that are installed when you follow the instructions in this manual. The directory locations for these Oracle home directories are included in the sections later in this manual that provide the installation instructions for the components.
PK0Ke PK ? OEBPS/server_migration.htmYnFor this high availability topology, you must configure server migration for the WLS_OIM1
, WLS_SOA1
, WLS_OIM2
, and WLS_SOA2
Managed Servers. The WLS_OIM1
and WLS_SOA1
Managed Server are configured to restart on OIMHOST2
should a failure occur. The WLS_OIM2
and WLS_SOA2
Managed Servers are configured to restart on OIMHOST1
should a failure occur. For this configuration, the WLS_OIM1
, WLS_SOA1
, WLS_OIM2
and WLS_SOA2
servers listen on specific floating IPs that are failed over by WebLogic Server Migration. Configuring server migration for the Managed Servers consists of the following steps.
The following steps enable server migration for the WLS_OIM1
, WLS_SOA1
, WLS_OIM2
, and WLS_SOA2
Managed Servers. This enables a Managed Server to fail over to another node in the case of server or process failure.
This chapter contains the following steps:
Section 16.1, "Setting Up a User and Tablespace for the Server Migration Leasing Table"
Section 16.2, "Creating a Multi Data Source Using the Oracle WebLogic Administration Console"
Section 16.4, "Setting Environment and Superuser Privileges for the wlsifconfig.sh Script"
The first step to set up a user and tablespace for the server migration leasing table:
Note: If other servers in the same domain have already been configured with server migration, the same tablespace and data sources can be used. In that case, the data sources and multi data source for database leasing do not need to be re-created, but they must be retargeted to the clusters being configured with server migration. |
Create a tablespace called leasing
. For example, log on to SQL*Plus as the sysdba user and run the following command:
SQL> create tablespace leasing logging datafile 'DB_HOME/oradata/orcl/leasing.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;
Create a user named leasing
and assign to it the leasing
tablespace:
SQL> create user leasing identified by welcome1; SQL> grant create table to leasing; SQL> grant create session to leasing; SQL> alter user leasing default tablespace leasing; SQL> alter user leasing quota unlimited on LEASING;
Create the leasing
table using the leasing.ddl
script:
Copy the leasing.ddl
file located in either the WL_HOME
/server/db/oracle/817 or the WL_HOME
/server/db/oracle/920 directory to your database node.
Connect to the database as the leasing user.
Run the leasing.ddl script in SQL*Plus:
SQL> @Copy_Location/leasing.ddl;
The second step is to create a multi data source for the leasing table from the Oracle WebLogic Server Administration Console. You create a data source to each of the Oracle RAC database instances during the process of setting up the multi data source, both for these data sources and the global leasing multi data source. When you create a data source:
Ensure that this is a non-XA data source.
The names of the multi data sources are in the format of MultiDS
-rac0
, MultiDS
-rac1
, and so on.
Use Oracle's Driver (Thin) Version 9.0.1, 9.2.0, 10, 11.
Data sources do not require support for global transactions. Therefore, do not use any type of distributed transaction emulation/participation algorithm for the data source (do not choose the Supports Global Transactions option, or the Logging Last Resource, Emulate Two-Phase Commit, or One-Phase Commit options of the Supports Global Transactions option), and specify a service name for your database.
Target these data sources to the OIM_CLUSTER
and the SOA_CLUSTER
.
Ensure the data source's connection pool initial capacity is set to 0 (zero). To do this, select Services, JDBC, and then Datasources. In the Datasources screen, click the Datasource Name, then click the Connection Pool tab, and enter 0 (zero) in the Initial Capacity field.
Perform these steps to create a multi data source:
From Domain Structure window in the Oracle WebLogic Server Administration Console, expand the Services node. The Summary of JDBC Data Source page appears.
Click Data Sources. The Summary of JDBC Multi Data Source page is displayed.
Click Lock and Edit.
Click New Multi Data Source. The Create a New JDBC Multi Data Source page is displayed.
Enter leasing
as the name.
Enter jdbc/leasing
as the JNDI name.
Select Failover as algorithm (default).
Click Next.
Select OIM_CLUSTER and SOA_CLUSTER as the targets.
Click Next.
Select non-XA driver (the default).
Click Next.
Click Create New Data Source.
Enter leasing-rac0
as the name. Enter jdbc/leasing-rac0
as the JNDI name. Enter oracle
as the database type. For the driver type, select Oracle Driver (Thin) for Oracle RAC Service-Instance connections, Versions:10 and later.
Note: When creating the multi data sources for the leasing table, enter names in the format of |
Click Next.
Deselect Supports Global Transactions.
Click Next.
Enter the service name, database name, host port, and password for your leasing schema.
Click Next.
Click Test Configuration and verify that the connection works.
Click Next.
Target the data source to OIM_CLUSTER and SOA cluster.
Select the data source you just created, for example leasing-rac0
, and add it to the right screen.
Click Create a New Data Source for the second instance of your Oracle RAC database, target it to the OIM_CLUSTER and SOA_CLUSTER, repeating the steps for the second instance of your Oracle RAC database.
Add the second data source to your multi data source.
Click Activate Changes.
The third step is to edit Node Manager's properties file. This must be done for the Node Managers in both nodes (OIMHOST1
and OIMHOST2
) where server migration is being configured:
Interface=eth0 NetMask=255.255.255.0 UseMACBroadcast=true
Interface: This property specifies the interface name for the floating IP (for example, eth0).
Note: Do not specify the sub-interface, such as |
NetMask: This property specifies the net mask for the interface for the floating IP. The net mask should the same as the net mask on the interface; 255.255.255.0 is used as an example in this document.
UseMACBroadcast: This property specifies whether to use a node's MAC address when sending ARP packets, that is, whether to use the -b
flag in the arping
command.
Verify in Node Manager's output (shell where Node Manager is started) that these properties are being used, or problems may arise during migration. You should see something like this in Node Manager's output:
... StateCheckInterval=500 Interface=eth0 NetMask=255.255.255.0 ...
Note: The following steps are not required if the server properties (start properties) have been properly set and Node Manager can start the servers remotely. |
Set the following property in the nodemanager.properties
file:
StartScriptEnabled: Set this property to true
. This is required to enable Node Manager to start the Managed Servers.
Start Node Manager on OIMHOST1 and OIMHOST2 by running the startNodeManager.sh
script, which is located in the WL_HOME
/server/bin directory.
Note: When running Node Manager from a shared storage installation, multiple nodes are started using the same
and start Node Manager after the variable has been set in the shell. |
This section is not required on Windows. On Linux and UNIX-based systems, the fourth step is to set environment and superuser privileges for the wlsifconfig.sh
script:
Ensure that your PATH environment variable includes these files:
Grant sudo
configuration for the wlsifconfig.sh
script.
Configure sudo
to work without a password prompt.
For security reasons, sudo
should be restricted to the subset of commands required to run the wlsifconfig.sh
script. For example, perform the following steps to set the environment and superuser privileges for the wlsifconfig.sh script:
Grant sudo
privilege to the WebLogic user oracle
with no password restriction, and grant execute privilege on the /sbin/ifconfig and /sbin/arping
binaries.
Ensure the script is executable by the WebLogic user oracle
. The following is an example of an entry inside /etc/sudoers
granting sudo
execution privilege for oracle
and also over ifconfig
and arping
:
oracle ALL=NOPASSWD: /sbin/ifconfig,/sbin/arping
Note: Ask the system administrator for the appropriate |
The sixth step is to configure server migration targets. You first assign all the available nodes for the cluster's members and then specify candidate machines (in order of preference) for each server that is configured with server migration. Follow these steps to configure cluster migration in a migration in a cluster:
Log in to the Oracle WebLogic Server Administration Console (http://Host:Admin_Port/console). Typically, Admin_Port is 7001 by default.
In the Domain Structure window, expand Environment and select Clusters. The Summary of Clusters page is displayed.
Click the cluster for which you want to configure migration (OIM_CLUSTER) in the Name column of the table.
Click the Migration tab.
Click Lock and Edit.
In the Available field, select the machine to which to allow migration and click the right arrow. In this case, select OIMHOST1 and OIMHOST2.
Select the data source to be used for automatic migration. In this case, select the leasing data source.
Click Save.
Click Activate Changes.
Repeat steps 2 through 9 for the SOA cluster.
Set the candidate machines for server migration. You must perform this task for all of the Managed Servers as follows:
In the Domain Structure window of the Oracle WebLogic Server Administration Console, expand Environment and select Servers.
Tip: Click Customize this table in the Summary of Servers page and move Current Machine from the Available window to the Chosen window to view the machine on which the server is running. This is different from the configuration if the server gets migrated automatically. |
Select the server for which you want to configure migration.
Click the Migration tab.
In the Available field, located in the Migration Configuration section, select the machines to which to allow migration and click the right arrow. For WLS_OIM1, select OIMHOST2. For WLS_OIM2, select OIMHOST1.
Select Automatic Server Migration Enabled. This enables Node Manager to start a failed server on the target node automatically.
Click Save.
Click Activate Changes.
Repeat the previous steps for the WLS_SOA1 and WLS_SOA2 Managed Servers.
Restart WebLogic Administration Server, Node Managers, and the servers for which server migration has been configured.
The final step is to test the server migration. Perform these steps to verify that server migration is working properly:
From OIMHOST1:
Stop the WLS_OIM1 Managed Server. To do this, run this command:
OIMHOST1> kill -9 pid
where pid specifies the process ID of the Managed Server. You can identify the pid in the node by running this command:
OIMHOST1> ps -ef | grep WLS_OIM1
Watch the Node Manager console. You should see a message indicating that WLS_OIM1's floating IP has been disabled.
Wait for Node Manager to try a second restart of WLS_OIM1. It waits for a fence period of 30 seconds before trying this restart.
Once Node Manager restarts the server, stop it again. Node Manager should now log a message indicating that the server will not be restarted again locally.
From OIMHOST2:
Watch the local Node Manager console. After 30 seconds since the last try to restart WLS_OIM1 on OIMHOST1, Node Manager on OIMHOST2 should prompt that the floating IP for WLS_OIM1 is being brought up and that the server is being restarted in this node.
Access the soa-infra console in the same IP.
Follow the previous steps to test server migration for the WLS_OIM2, WLS_SOA1, and WLS_SOA2 Managed Servers.
Table 16-2 shows the Managed Servers and the hosts they migrate to in case of a failure.
Table 16-2 WLS_OIM1, WLS_OIM2, WLS_SOA1, WLS_SOA2 Server Migration
Managed Server | Migrated From | Migrated To |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Verification From the Administration Console
Migration can also be verified in the Administration Console:
Log in to the Administration Console.
Click Domain on the left console.
Click the Monitoring tab and then the Migration sub tab.
The Migration Status table provides information on the status of the migration.
Note: After a server is migrated, to fail it back to its original node/machine, stop the Managed Server from the Oracle WebLogic Administration Console and then start it again. The appropriate Node Manager starts the Managed Server on the machine to which it was originally assigned. |
This chapter describes how to configure single sign-on (SSO) for administration consoles. The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
This chapter includes the following topics:
This section describes how to integrate administration consoles with single sign-on. You need not perform the procedures in this section if you are integrating Oracle Access Manager with Oracle Identity Manager, as the integration command creates the security providers for you.
This section contains the following topics:
Note: Once you have enabled single sign-on for the administration consoles, ensure that at least one Oracle Access Manager server is running to enable console access. If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again. To start
DOMAIN_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
|
Before you attempt to integrate administration consoles with single sign-on, ensure Ensure that the following tasks have been performed:
Configure Oracle HTTP Server, as described in Chapter 5, "Configuring the Web Tier."
Configure Oracle Access Manager, as described in Chapter 12, "Extending the Domain with Oracle Access Manager 11g."
Weblogic Administrators have been provisioned in LDAP as described in Chapter 11, "Creating Users and Groups for Oracle WebLogic Server."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 11.4.4, "Creating Users and Groups for Oracle WebLogic Server" you created a user called weblogic_idm
and assigned it to the group IDM Administrators. To be able to manage WebLogic using this account you must add the IDM administrators group to the list of Weblogic Administration groups. This section describes how to add the IDM Administrators Group to the list of WebLogic Administrators.
Log in to the WebLogic Administration Server Console.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group
as an entry.
Click Save to finish adding the Admin role to the IDM Administrators Group
.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
The boot.properties
file for the Administration Server and the Managed Servers should be updated with the WebLogic admin
user created in Oracle Internet Directory. Follow these steps to update the boot.properties
file.
For the Administration Server on IDMHOST1
On IDMHOST1, go the following directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser
password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note: When you start the Administration Server, the username and password entries in the file get encrypted. For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted. |
Restarting the Servers
Restart WebLogic Administration Server and all Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Restart the following servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Oracle Access Manager servers on OAMHOST1
and OAMHOST2
Oracle HTTP Servers on WEBHOST1
and WEBHOST2
This section describes how to install and configure WebGate. This task is not necessary for OIM11g/OAM10g integration.
This section contains the following topics:
Section 18.5.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2"
Section 18.5.4, "Patching the Oracle Access Manager 10g WebGates"
Section 18.5.6, "Validating the Oracle Access Manager Single Sign-On Setup"
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Web Tier as described in Chapter 5.
On Linux systems, make the special versions of the gcc
libraries available, as described in Chapter 18.
Ensure Oracle Access Manager has been configured as described in Chapter 12.
Oracle Web Gate requires special versions of gcc
libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org
, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management
See Also:
|
Before you install Oracle WebGate, ensure that the Managed Servers WLS_OAM1 and WLS_OAM2 are started.
Install Oracle WebGate as described in the following sections.
Start the Web Gate installer by issuing the command:
Oracle_Access_Managerversion_linux_OHS11g_WebGate -gui
Then perform the following steps:
On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.
Click Next.
On the Customer Information screen, enter the username
and group
that the Oracle Access Manager server uses. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for username
and group
is nobody
. For example, enter oracle
/oinstall
.
Click Next.
Specify the installation directory for the Oracle Access Manager server. For example, enter: MW_HOME
/oam/webgate
.
Click Next.
Note: Oracle Access Manager WebGate is installed in the
|
Oracle Access Manager WebGate is installed in: /u01/app/oracle/product/fmw/oam/webgate/
The access directory is created by the installer automatically.
Specify the location of the GCC run-time libraries, for example: /u01/app/oracle/oam_lib
Click Next.
The installation progress screen is shown. After the installation process completes, the WebGate Configuration screen appears.
On the WebGate Configuration screen, you are prompted for the transport security mode:
The transport security between all Access System components (Policy Manager, Access Servers, and associated WebGates) must match; select one of the following: Open Mode, Simple Mode, or Cert Mode.
Select Simple Mode.
Click Next.
On the next WebGate Configuration screen, specify the following WebGate details:
WebGate ID: The agent name used in Section 12.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool," for example Webgate_IDM
.
Password for Web Gate: If you entered a password when creating the agent, enter this here. Otherwise leave blank.
Access Server ID: The name of one of your Oracle Access Manager servers, for example: WLS_OAM1
Host Name: Enter the Host name for one of the Oracle Access Manager servers for example IDMHOST1
Global Access Protocol Passphase: If your OAM servers are using the Simple security transport protocol, then specify the global passphrase that you use to interact with them.
Port Number the Access Server listens to: ProxyPort
Note: To find the port that the Oracle Access Manager server is using, log in to the oamconsole at:
Then perform the following steps:
The proxy entry has host and port information. |
On the Configure Web Server screen, click Yes to automatically update the web server, then click Next.
On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf
file. The httpd.conf
file is located under the following directory:
/u01/app/oracle/admin/
ohsInstance
/config/OHS/
ohsComponentName
For example:
/u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf
Click Next.
On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.
Click Next.
The next screen, Configure Web Server, displays the following message:
If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.
Click Next.
The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.
Select No and click Next.
The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.
Click Next.
The Oracle COREid Readme screen appears. Review the information on the screen and click Next.
A message appears, along with the details of the installation, informing you that the installation was successful.
Click Finish.
Replace the file ObAccessClient.xml
in the directory MW_HOME
/oam/webgate/access/oblix/lib
with the file generated in Section 12.6.2, "Configuring Oracle Access Manager by Using the IDM Automation Tool."
Restart the web server by following the instructions in Chapter 19, "Starting and Stopping Oracle Identity Management Components."
Repeat for WEBHOST2
You must create a logout page to enable applications to log out. A default page exists, but you must edit it and copy it to the WebGate installation on WEBHOST1
and WEBHOST2
.
Copy the file logout.html
from the directory DOMAIN_HOME
/output/Webgate_IDM
on IDMHOST1
to MW_HOME
/oam/webgate/access/oamsso
on WEBHOST1
and WEBHOST2
.
Now that you have your own logout page on the web server, you must remove the default entry.
Edit the file httpd.conf
, located in the directory:
ORACLE_INSTANCE
/config/OHS/component name
/
Comment out the following lines by adding a #
at the beginning. The edited lines look like this:
#*******Default Login page alias*** Alias /oamsso "/u01/app/oracle/product/fmw/webgate/access/oamsso" #<LocationMatch "/oamsso/*"> #Satisfy any #</LocationMatch> #**********************************
Save the file.
Restart the Oracle HTTP server, as described in Chapter 19, "Starting and Stopping Oracle Identity Management Components."
This software cannot be patched until it is installed, as described in Section 18.5.3, "Installing Oracle WebGate on WEBHOST1 and WEBHOST2."
Follow these steps to patch the WebGates in your environment:
Download the Oracle Access Manager OHS11g WebGate patch 12816881 from My Oracle Support at https://support.oracle.com
. The patch name is p12816881_10143_Linux-x86-64.zip
.
Stop the Oracle HTTP Server 11g instances on WEBHOST1
and WEBHOST2
by following the steps in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Unzip the p12816881_10143_Linux-x86-64.zip
file to a temporary location. This creates t two directories. On 32-bit Linux, the directories are:
Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter
Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_message_en-us
On 64-bit Linux, the directories are:
Oracle_Access_Manager10_1_4_3_0_BP10_Patch_linux64_OHS11g_WebGate_binary_parameter
Oracle_Access_Manager10_1_4_3_0_BP10_Patch_linux64_OHS11g_WebGate_message_en-us
Change directory to: PatchExtractLocation
/Oracle_Access_Manager10_1_4_3_0_BPxx_Patch_linux_OHS11g_WebGate_binary_parameter
Uninstall any existing patches because you must apply patches to the base version.
To detect the presence of an existing patch, determine the version number, as follows:
Open the file, webgate-install
/oblix/config/np1014_wg.txt
Check the Version
field.
If the Version
value is the base version, 10.1.4.3.0 M11, then it does not contain any patch.
If the Version
value is different from the base version, indicating that there is a patch, uninstall the patch as follows:
Navigate to the location within the WebGate installation where the patchinst
script is present, for example:
cd /u01/app/oracle/product/fmw/oam/webgate/access/oblix/patch/10143005BP05/Oracle_Access_Manager10_1_4_3_0_BP05_Patch_linux64_OHS11g_WebGate_binary_parameter/
Execute the command:
./patchinst -u
Specify the WebGate installation area when prompted.
Start the patch installation tool by typing:
./patchinst -i InstallDir/access
where InstallDir
is the path to the Oracle Access Manager server install location. For example:
/u01/app/oracle/product/fmw/oam/webgate/
This applies the required patch for Oracle Access Manager-Oracle Identity Manager integration to the Oracle Access Manager 10.1.4.3.0 WebGate Instance. Please see the Release Notes for the exact patch level required.
Apply this patch to all the WebGate instances in your environment.
Start the Oracle HTTP Server instances on WEBHOST1
and WEBHOST2
, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
You can test that WebGate is functioning correctly by accessing the URL:
http://admin.mycompany.com/oamconsole
You now see the Oracle Access Manager Login page displayed. Enter your OAM administrator user name (for example, oamadmin
) and password and click Login. Then you see the OAM console displayed.
To validate the setup, open a web browser and go the following URLs:
http://admin.mycompany.com/console http://admin.mycompany.com/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.
The script content on this page is for navigation purposes only and does not alter the content in any way.
This chapter describes how to extend the domain with Oracle Virtual Directory (OVD) in the enterprise deployment.
This chapter includes the following topics:
Section 9.1, "Prerequisites for Configuring Oracle Virtual Directory Instances"
Section 9.3, "Configuring the Oracle Virtual Directory Instances"
Section 9.5, "Disable Oracle Virtual Directory Listener SSL NIO"
Section 9.6, "Validating the Oracle Virtual Directory Instances"
Section 9.7, "Creating ODSM Connections to Oracle Virtual Directory"
Section 9.8, "Creating Adapters in Oracle Virtual Directory"
Section 9.10, "Backing Up the Oracle Virtual Directory Configuration"
Follow these steps to configure the Oracle Virtual Directory components, OVDHOST1
and OVDHOST2
on the directory tier with Oracle Virtual Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.
Before configuring the Oracle Virtual Directory instances on OVDHOST1
and OVDHOST2
, ensure that the following tasks have been performed:
Install and upgrade the software on OVDHOST1
and OVDHOST2
as described in the following sections.
If you plan on provisioning the Oracle Virtual Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on OVDHOST1
and OVDHOST2
as described in Section 2.4, "Shared Storage and Recommended Directory Structure."
Ensure that the load balancer is configured as describe in Section 2.2.2, "Configuring Virtual Server Names and Ports on the Load Balancer."
Use of Oracle Virtual Directory is strongly recommended for all Identity Store deployments. This includes cases where your Identity Store uses multiple directories or a single directory (including Oracle Internet Directory).
This section contains the following topics:
Section 9.3.1, "Configuring the First Oracle Virtual Directory Instance"
Section 9.3.2, "Configuring an Additional Oracle Virtual Directory"
Ensure that ports 6501
and 7501
are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "6501" netstat -an | grep "7501"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On UNIX:
Remove the entries for ports 6501
and 7501
in the /etc/services
file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Copy the staticports.ini
file from the Disk1/stage/Response
directory to a temporary directory.
Edit the staticports.ini
file that you copied to the temporary directory to assign ports 6501
and 7501
, as follows:
Port | Value |
---|---|
Non SSL Port for Oracle Virtual Directory |
|
SSL Port for Oracle Virtual Directory |
|
Start the Oracle Identity Management 11g Configuration Assistant by running IDM_ORACLE_HOME
/bin/config.sh
.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/ovd_inst1
Oracle Instance Name: ovd_inst1
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the check box next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and then click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini
file that you edited in the temporary directory.
Click Next.
On the Specify Virtual Directory screen: In the Client Listeners section, enter:
LDAP v3 Name Space: dc=mycompany,dc=com
In the OVD Administrator section, enter:
Administrator User Name: cn=orcladmin
Password: administrator_password
Confirm Password: administrator_password
Select Configure the Administrative Server in secure mode.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
Click Next.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Virtual Directory instance on OVDHOST1
, issue these commands:
ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q
Note: Ensure that the following environment variables are set before using
|
The schema database must be running before you perform this task. Follow these steps to install Oracle Virtual Directory on OVDHOST2
:
Ensure that ports 6501
and 7501
are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "6501" netstat -an | grep "7501"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On UNIX:
Remove the entries for ports 6501
and 7501
in the /etc/services
file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
If the ports are in use (that is, if the command returns output identifying either port), you must free them.
Copy the staticports.ini
file from the Disk1/stage/Response
directory to a temporary directory.
On UNIX, remove the entries for ports 6501
and 7501
in the /etc/services
file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Edit the staticports.ini
file that you copied to the temporary directory to assign the following custom ports:
Port | Value |
---|---|
Non SSL Port for Oracle Virtual Directory |
|
SSL Port for Oracle Virtual Directory |
|
Start the Oracle Identity Management 11g Configuration Assistant by running IDM_ORACLE_HOME
/bin/config.sh
.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/ovd_inst2
Oracle Instance Name: ovd_inst2
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the check box next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini
file that you edited in the temporary directory.
Click Next.
On the Specify Virtual Directory screen: In the Client Listeners section, enter:
LDAP v3 Name Space: dc=mycompany,dc=com
In the OVD Administrator section, enter:
Administrator User Name: cn=orcladmin
Password: administrator_password
Confirm Password: administrator_password
Select Configure the Administrative Server in secure mode.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
Click Next.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Virtual Directory instance on OVDHOST2
, issue these commands:
ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h ovdhost2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
Note: Ensure that the following environment variables are set before using
|
This section contains the following topics:
All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Virtual Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl
registerinstance
command.
To register the Oracle Virtual Directory instances, follow these steps on OVDHOST1
:
Set the ORACLE_HOME
variable. For example, issue this command:
export ORACLE_HOME=IDM_ORACLE_HOME
Set the ORACLE_INSTANCE
variable. For example, on OVDHOST1
, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst1
On OVDHOST2
, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst2
Execute the opmnctl
registerinstance
command:
ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName -adminPort WLSPort -adminUsername adminUserName
For example:
ORACLE_INSTANCE/bin/opmnctl registerinstance \
-adminHost ADMINVHN.mycompany.com -adminPort 7001 -adminUsername weblogic
The command requires login to WebLogic Administration Server.
Username: weblogic
Password: password
Note: For additional details on registering Oracle Virtual Directory components with a WebLogic Server domain, see the "Registering an Oracle Instance Using OPMNCTL" section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory. |
In order to manage Oracle Virtual Directory by using Oracle Enterprise Manager Fusion Middleware Control, you must update the Enterprise Manager Repository URL to point to the virtual IP address associated with the WebLogic Administration Server. Do this using the emctl
utility with the switchOMS
flag. The emctl
utility is located under the ORACLE_INSTANCE/
EMAGENT/EMAGENT/bin
directory.
Syntax:
./emctl switchOMS ReposURL
For Example:
./emctl switchOMS http://ADMINVNH:7001/em/upload
Output:
./emctl switchOMS http://ADMINVHN.mycompany.com:7001/em/upload Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. SwitchOMS succeeded.
Validate if the agents on OVDHOST1
and OVDHOST2
are configured properly to monitor their respective targets. Follow these steps to complete this task:
Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://adminvhn.mycompany.com:7001/em
. Log in as the weblogic
user.
From the Domain Home Page navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets
Validate that the host name in Agent URL under the Agent column matches the host name under the Host column. In case of a mismatch follow these steps to correct the issue:
Click configure to go to the Configure Target Page.
On the Configure Target Page, click Change Agent and choose the correct agent for the host.
Update the WebLogic monitoring user name and the WebLogic monitoring password. Enter weblogic
as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.
Click OK to save your changes.
Configure Oracle Virtual Directory as follows.
Prior to running this command ensure that:
Oracle Identity Management is installed
Oracle Identity and Access Management is installed.
Site certificate has been generated as described in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain."
If you are using Windows, you have installed a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com
.
Before configuring Oracle Virtual Directory for SSL, set the ORACLE_HOME
, ORACLE_INSTANCE
and JAVA_HOME
variables. For example, on OVDHOST1
and OVDHOST2
, issue this command
export ORACLE_HOME=IDM_ORACLE_HOME
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst1
export PATH=$JAVA_HOME/bin:$PATH
Start the SSL Configuration tool by issuing the command SSLServerConfig
command which is located in the directory ORACLE_COMMON_HOME
/bin
directory.
For example:
ORACLE_COMMON_HOME/bin/SSLServerConfig.sh -component ovd
When prompted, enter the following information:
LDAP Hostname: Central LDAP host, for example: policystore.mycompany.com
Note: It is recommended that you use the Policy Store directory, not the Identity Store. |
LDAP port: LDAP port, for example: 389
Admin user DN: cn=orcladmin
Password: administrator_password
sslDomain for the CA: IDMDomain
Password to protect your SSL wallet/keystore: password_for_local_keystore
Enter confirmed password for your SSL wallet/keystore: password_for_local_keystore
Password for the CA wallet: certificate_password
. This is the one created in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain."
Country Name 2 letter code: Two letter country code, such as US
State or Province Name: State or province, for example: California
Locality Name: Enter the name of your city, for example: RedwoodCity
Organization Name: Company name, for example: mycompany
Organizational Unit Name: Leave at the default
Common Name: Name of this host, for example: OVDHOST1.mycompany.com
OVD component name: Name of your Oracle Instance. This is the value you entered in Step 7 of sections Section 9.3.1, "Configuring the First Oracle Virtual Directory Instance" and Section 9.3.2, "Configuring an Additional Oracle Virtual Directory," one for each instance, for example: ovd1
OVD Instance Name: for example, ovd1
. If you need to determine what your OVD component name is, execute the command:
ORACLE_INSTANCE/bin/opmnctl status
Oracle instance name: Name of your Oracle instance, for example: asinst_ovd1
WebLogic admin host: Host running the WebLogic Administration Server, for example:. adminvhn.mycompany.com
WebLogic admin port: WebLogic Administration Server port, for example: 7001
WebLogic admin user: Name of your WebLogic administration user, for example: weblogic
WebLogic password: password
.
SSL wallet name for OVD component [ovdks1.jks]: Accept the default
When asked if you want to restart your Oracle Virtual Directory component, enter Yes
.
When asked if you would like to test your OVD SSL connection, enter Yes
. Ensure that the test is a success.
Note: If this step fails, perform the steps in Section 9.5, "Disable Oracle Virtual Directory Listener SSL NIO" as a workaround. |
Before you can bind to the SSL port on Oracle Virtual Directory you must disable NIO. To do this, perform the following steps on each of the Oracle Virtual Directory instances:
Stop Oracle Virtual Directory by typing:
ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
Edit the file:
ORACLE_INSTANCE
/config/OVD/
component
/listeners.os_xml
Locate the section for LDAP SSL listener, which looks like this:
<ldap version="20" id="LDAP SSL Endpoint"> <port>7501</port> <host>0.0.0.0</host> ......... ......... <ssl enabled="true"> <protocols>SSLv3</protocols> <cipherSuites> ....... ....... <tcpNoDelay>true</tcpNoDelay> <readTimeout>180000</readTimeout> </socketOptions> </ldap>
Modify this section so that it looks like this:
<ldap version="20" id="LDAP SSL Endpoint"> <port>7501</port> <host>0.0.0.0</host> ......... ......... <ssl enabled="true"> <protocols>SSLv3,TLSv1,SSLv2Hello</protocols> <cipherSuites includeAnonCiphers="true"> <cipher>SSL_RSA_WITH_RC4_128_MD5</cipher> <cipher>SSL_RSA_WITH_RC4_128_SHA</cipher> <cipher>TLS_RSA_WITH_AES_128_CBC_SHA</cipher></cipherSuites> ...... ...... <tcpNoDelay>true</tcpNoDelay> <