| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.4) Part Number E21032-11 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.4) Part Number E21032-11 |
|
|
PDF · Mobi · ePub |
This chapter describes how to extend the Identity Management domain to include Oracle Virtual Directory (OVD).
This chapter includes the following topics:
Section 12.1, "Overview of Extending the Domain to Include Oracle Virtual Directory"
Section 12.2, "Prerequisites for Configuring Oracle Virtual Directory Instances"
Section 12.3, "Configuring the Oracle Virtual Directory Instances"
Section 12.5, "Validating the Oracle Virtual Directory Instances"
Section 12.6, "Creating ODSM Connections to Oracle Virtual Directory"
Section 12.7, "Creating Adapters in Oracle Virtual Directory"
Section 12.8, "Backing Up the Oracle Virtual Directory Configuration"
Use of Oracle Virtual Directory is strongly recommended for all Identity Store deployments. This includes cases where your Identity Store uses multiple directories or a single directory (including Oracle Internet Directory).
Follow the steps in this chapter to configure the Oracle Virtual Directory components, LDAPHOST1 and LDAPHOST2 on the directory tier with Oracle Virtual Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.
Before configuring the Oracle Virtual Directory instances on LDAPHOST1 and LDAPHOST2, ensure that the following tasks have been performed:
Install and upgrade the software on LDAPHOST1 and LDAPHOST2 as described in Chapter 6, "Installing the Software for an Enterprise Deployment."
If you plan on provisioning the Oracle Virtual Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on LDAPHOST1 and LDAPHOST2 as described in Section 4.4.4, "Directory Structure."
Ensure that the load balancer is configured as describe in Section 3.2, "About Virtual Server Names Used by the Topologies."
This section contains the following topics:
Section 12.3.1, "Configuring the First Oracle Virtual Directory Instance"
Section 12.3.2, "Configuring an Additional Oracle Virtual Directory"
Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On Linux:
netstat -an | grep "6501" netstat -an | grep "7501"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On Linux:
Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Create a file containing the ports used by Oracle Virtual Directory. On Disk1 of the installation media, locate the file stage/Response/staticports.ini. Copy it to a file called ovd_ports.ini. Delete all entries in ovd_ports.ini except for Non-SSL Port for Oracle Virtual Directory and SSL Port for Oracle Virtual Directory. Change the values of those ports to 6501 and 7501, respectively.
Note:
If the port names in the file are slightly different from those listed in this step, use the names in the file.
Start the Oracle Identity Management 11g Configuration Wizard by running IDM_ORACLE_HOME/bin/config.sh.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/ovd1
Oracle Instance Name: ovd1
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the check box next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and then click Next.
On the Configure Ports screen, you use the ovd_ports.ini file you created in Step 2 to specify the ports to be used. This enables you to bypass automatic port configuration.
Select Specify Ports using a Configuration File.
In the file name field specify ovd_ports.ini.
Click Save, then click Next.
On the Specify Virtual Directory screen: In the Client Listeners section, enter:
LDAP v3 Name Space: dc=mycompany,dc=com
In the OVD Administrator section, enter:
Administrator User Name: cn=orcladmin
Password: administrator_password
Confirm Password: administrator_password
Select Configure the Administrative Server in secure mode.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
Click Next.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Virtual Directory instance on LDAPHOST1, issue these commands:
ldapbind -h LDAPHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h LDAPHOST1.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
Note:
Ensure that the following environment variables are set before using ldapbind:
ORACLE_HOME (set to IDM_ORACLE_HOME)
ORACLE_INSTANCE
PATH - The following directory locations should be in your PATH:
ORACLE_HOME/bin
ORACLE_HOME/ldap/bin
ORACLE_HOME/ldap/admin
The schema database must be running before you perform this task. Follow these steps to install Oracle Virtual Directory on LDAPHOST2:
Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On Linux:
netstat -an | grep "6501" netstat -an | grep "7501"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On Linux:
Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 20.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Start the Oracle Identity Management 11g Configuration Wizard by running IDM_ORACLE_HOME/bin/config.sh.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/ovd2
Oracle Instance Name: ovd2
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the check box next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and click Next.
On the Configure Ports screen, you use the ovd_ports.ini file you created in Section 12.3.1, "Configuring the First Oracle Virtual Directory Instance" to specify the ports to be used. This enables you to bypass automatic port configuration.
Select Specify Ports using a Configuration File.
In the file name field specify ovd_ports.ini.
Click Save, then click Next.
On the Specify Virtual Directory screen: In the Client Listeners section, enter:
LDAP v3 Name Space: dc=mycompany,dc=com
In the OVD Administrator section, enter:
Administrator User Name: cn=orcladmin
Password: administrator_password
Confirm Password: administrator_password
Select Configure the Administrative Server in secure mode.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
Click Next.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Virtual Directory instance on LDAPHOST2, issue these commands:
ldapbind -h LDAPHOST2.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h LDAPHOST2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
Note:
Ensure that the following environment variables are set before using ldapbind:
ORACLE_HOME (set to IDM_ORACLE_HOME)
ORACLE_INSTANCE
PATH - The following directory locations should be in your PATH:
ORACLE_HOME/bin
ORACLE_HOME/ldap/bin
ORACLE_HOME/ldap/admin
This section contains the following topics:
All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Virtual Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.
To register the Oracle Virtual Directory instances, follow these steps on LDAPHOST1 and LDAPHOST2 for each instance:
Set the ORACLE_HOME variable. For example, issue this command:
export ORACLE_HOME=IDM_ORACLE_HOME
Set the ORACLE_INSTANCE variable. For example, on LDAPHOST1, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd1
On LDAPHOST2, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd2
Execute the opmnctl registerinstance command:
ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName -adminPort WLSPort -adminUsername adminUserName
For example:
ORACLE_INSTANCE/bin/opmnctl registerinstance \
-adminHost ADMINVHN.mycompany.com -adminPort 7001 -adminUsername weblogic
The command requires login to WebLogic Administration Server.
Username: weblogic
Password: password
Note:
For additional details on registering Oracle Virtual Directory components with a WebLogic Server domain, see the "Registering an Oracle Instance Using OPMNCTL" section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
In order to manage Oracle Virtual Directory by using Oracle Enterprise Manager Fusion Middleware Control, you must update the Enterprise Manager Repository URL to point to the virtual IP address associated with the WebLogic Administration Server. Do this using the emctl utility with the switchOMS flag. This will enable the local emagent to communicate with the WebLogic Administration Server using the virtual IP address. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.
Syntax:
./emctl switchOMS ReposURL
For Example:
./emctl switchOMS http://ADMINVNH:7001/em/upload
Output:
./emctl switchOMS http://ADMINVHN.mycompany.com:7001/em/upload Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. SwitchOMS succeeded.
Force the agent to reload its configuration by issuing the command:
./emctl reload
Check that the agent is using the correct Upload URL using the command:
./emctl status agent
Validate if the agents on LDAPHOST1 and LDAPHOST2 are configured properly to monitor their respective targets. Follow these steps to complete this task:
Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://adminvhn.mycompany.com:7001/em. Log in as the weblogic user.
From the Domain Home Page navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets
Update the WebLogic monitoring user name and the WebLogic monitoring password.
Enter weblogic as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.
Click OK to save your changes.
Configure Oracle Virtual Directory as follows.
Prior to running this command ensure that:
Oracle Identity Management is installed
Oracle Identity and Access Management is installed.
Site certificate has been generated as described in Section 9.5.2, "Generating a Certificate to be Used by the Identity Management Domain."
If you are using Windows, you have installed a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com.
Before configuring Oracle Virtual Directory for SSL, set the ORACLE_HOME, ORACLE_INSTANCE and JAVA_HOME variables. For example, on LDAPHOST1 issue these commands:
export ORACLE_HOME=IDM_ORACLE_HOME
export PATH=$JAVA_HOME/bin:$PATH
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd1
Start the SSL Configuration tool by issuing the command SSLServerConfig command which is located in the directory ORACLE_COMMON_HOME/bin directory.
For example:
ORACLE_COMMON_HOME/bin/SSLServerConfig.sh -component ovd
When prompted, enter the following information:
LDAP Hostname: Central LDAP host, for example: policystore.mycompany.com
Note:
It is recommended that you use the Policy Store directory, not the Identity Store.
LDAP port: LDAP port, for example: 389
Admin user DN: cn=orcladmin
Password: administrator_password
sslDomain for the CA: IDMDomain
Password to protect your SSL wallet/keystore: password_for_local_keystore
Enter confirmed password for your SSL wallet/keystore: password_for_local_keystore
Password for the CA wallet: certificate_password. This is the one created in Section 9.5.2, "Generating a Certificate to be Used by the Identity Management Domain."
Country Name 2 letter code: Two letter country code, such as US
State or Province Name: State or province, for example: California
Locality Name: Enter the name of your city, for example: RedwoodCity
Organization Name: Company name, for example: mycompany
Organizational Unit Name: Leave at the default
Common Name: Name of this host, for example: LDAPHOST1.mycompany.com
OVD Instance Name: for example, ovd1. If you need to determine what your OVD component name is, execute the command:
ORACLE_INSTANCE/bin/opmnctl status
Oracle instance name: Name of your Oracle instance, for example: ovd1
WebLogic admin host: Host running the WebLogic Administration Server, for example:. adminvhn.mycompany.com
WebLogic admin port: WebLogic Administration Server port, for example: 7001
WebLogic admin user: Name of your WebLogic administration user, for example: weblogic
WebLogic password: password.
SSL wallet name for OVD component [ovdks1.jks]: Accept the default
When asked if you want to restart your Oracle Virtual Directory component, enter Yes.
When asked if you would like to test your OVD SSL connection, enter Yes. Ensure that the test is a success.
Repeat for each Oracle Virtual Directory instance in the configuration, running the command on the appropriate LDAPHOST.
To validate the Oracle Virtual Directory instances, ensure that you can connect to each Oracle Virtual Directory instance and the load balancing router using these ldapbind commands.
Follow the steps in Section 12.4.2.2, "Configuring Oracle Virtual Directory for SSL" before running the ldapbind command with the SSL port.
ldapbind -h LDAPHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h LDAPHOST2.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h idstore.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h LDAPHOST1.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1 ldapbind -h LDAPHOST2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
Before you can manage Oracle Virtual Directory you must create connections from ODSM to each of your Oracle Virtual Directory instances. To do this, proceed as follows:
Access ODSM through the load balancer at the URL listed in Section 20.2, "About Identity Management Console URLs."
Follow these steps to create connections to Oracle Virtual Directory:
To create connections to Oracle Virtual Directory, follow these steps. Create connections to each Oracle Virtual Directory node separately. Using the Oracle Virtual Directory load balancer virtual host from ODSM is not supported:
Create a direct connection to Oracle Virtual Directory on LDAPHOST1 providing the following information in ODSM:
Host: LDAPHOST2.mycompany.com
Port: 8899 (The Oracle Virtual Directory proxy port)
Enable the SSL option
User: cn=orcladmin
Password: password_to_connect_to_OVD
Create a direct connection to Oracle Virtual Directory on LDAPHOST2 providing the following information in ODSM:
Host: LDAPHOST2.mycompany.com
Port: 8899 (The Oracle Virtual Directory proxy port)
Enable the SSL option
User: cn=orcladmin
Password: password_to_connect_to_OVD
Oracle Virtual Directory communicates with other directories through adapters.
The procedure is slightly different, depending on the directory you are connecting to. The following sections show how to create and validate adapters for supported directories:
Section 12.7.1, "Ensuring the Change Log Generation is Enabled in Oracle Internet Directory"
Section 12.7.3, "Validating the Oracle Virtual Directory Adapters"
Before you create a change log adapter in Oracle Virtual Directory, you must ensure that the back end Oracle Internet Directory servers have changelog generation enabled.
To test whether a directory server has changelog generation enabled, type:
ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber
For example:
ldapsearch -h LDAPHOST1 -p 3060 -D "cn=orcladmin" -q -b '' -s base 'objectclass=*' lastchangenumber
If the command output includes lastchangenumber with a value, changelog generation is enabled. If changelog generation is not enabled, enable it as described in the "Enabling and Disabling Changelog Generation by Using the Command Line" section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
You can use idmconfgTool to create the Oracle Virtual Directory User and Changelog adapters for Oracle Internet Directory and Active Directory. Oracle Identity Manager requires adapters. It is highly recommended, though not mandatory, that you use Oracle Virtual Directory to connect to Oracle Internet Directory.
To do this, perform the following tasks on IDMHOST1:
Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.
Set IDM_HOME to IDM_ORACLE_HOME
Set ORACLE_HOME to IAM_ORACLE_HOME
Create a properties file for the adapter you are configuring called ovd1.props. The contents of this file depends on whether you are configuring the Oracle Internet Directory adapter or the Active Directory Adapter.
Oracle Internet Directory adapter properties file:
ovd.host:LDAPHOST1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:OID ldap1.host:oididstore.us.oracle.com ldap1.port:3060 ldap1.binddn:cn=oimLDAP,cn=systemids,dc=mycompany,dc=com ldap1.password:oidpassword ldap1.ssl:false ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
Active Directory adapter properties file:
ovd.host:LDAPHOST1.mycompany.com ovd.port:8899 ovd.binddn:cn=orcladmin ovd.password:ovdpassword ovd.oamenabled:true ovd.ssl:true ldap1.type:AD ldap1.host:adidstore.us.oracle.com ldap1.port:636 ldap1.binddn:cn=adminuser ldap1.password:adpassword ldap1.ssl:true ldap1.base:dc=mycompany,dc=com ldap1.ovd.base:dc=mycompany,dc=com usecase.type: single
The following list describes the parameters used in the properties file.
ovd.host is the host name of a server running Oracle Virtual Directory.
ovd.port is the https port used to access Oracle Virtual Directory.
ovd.binddn is the user DN you use to connect to Oracle Virtual Directory.
ovd.password is the password for the DN you use to connect to Oracle Virtual Directory.
ovd.oamenabled is always true in Fusion Applications deployments.
ovd.ssl is set to true, as you are using an https port.
ldap1.type is set to OID for the Oracle Internet Directory back end directory or set to AD for the Active Directory back end directory.
ldap1.host is the host on which back end directory is located. Use the load balancer name.
ldap1.port is the port used to communicate with the back end directory.
ldap1.binddn is the bind DN of the oimLDAP user.
ldap1.password is the password of the oimLDAP user
ldap1.ssl is set to true if you are using the back end's SSL connection, and otherwise set to false. This should always be set to true when an adapter is being created for AD.
ldap1.base is the base location in the directory tree.
ldap1.ovd.base is the mapped location in Oracle Virtual Directory.
usecase.type is set to Single when using a single directory type.
Configure the adapter by using the idmConfigTool command, which is located at:
IAM_ORACLE_HOME/idmtools/bin
Note:
When you run the idmConfigTool, it creates or appends to the file idmDomainConfig.param. This file is generated in the same directory that the idmConfigTool is run from. To ensure that each time the tool is run, the same file is appended to, always run the idmConfigTool from the directory:
IAM_ORACLE_HOME/idmtools/bin
The syntax of the command on Linux is:
idmConfigTool.sh -configOVD input_file=configfile [log_file=logfile]
The syntax on Windows is:
idmConfigTool.bat -configOVD input_file=configfile [log_file=logfile]
For example:
idmConfigTool.sh -configOVD input_file=ovd1.props
The command requires no input. The output looks like this:
The tool has completed its operation. Details have been logged to logfile
Run this command for each Oracle Virtual Directory instance in your topology, with the appropriate value for ovd.host in the property file.
Perform the following tasks by using ODSM:
Access ODSM at the URL listed in Section 20.2, "About Identity Management Console URLs."
Connect to Oracle Virtual Directory.
Go the Data Browser tab.
Expand Client View so that you can see each of your user adapter root DN's listed.
Expand the user adapter root DN, if there are objects already in the back end LDAP server, you should see those objects here.
ODSM doesn't support changelog query, so you cannot expand the cn=changelog subtree.
Perform the following tasks by using the command-line:
Validate the user adapters by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b <user_search_base> -s sub "objectclass=inetorgperson" dn
For example:
ldapsearch -h LDAPHOST1.mycompany.com -p 6501 -D "cn=orcladmin" -q -b "cn=Users,dc=mycompany,dc=com" -s sub "objectclass=inetorgperson" dn
Supply the password when prompted.
You should see the user entries that already exist in the back end LDAP server.
Validate changelog adapters by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
For example:
ldapsearch -h LDAPHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
The command returns logs of data, such as creation of all the users. It returns without error if the changelog adapters are valid.
Validate lastchangenumber query by typing:
ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
For example:
ldapsearch -h LDAPHOST1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s base 'objectclass=*' lastchangenumber
The command returns the latest change number generated in the back end LDAP server.
It is an Oracle best practices recommendation to create a backup file after successfully completing the installation and configuration of each tier or a logical point. Create a backup of the installation after verifying that the install so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. After the enterprise deployment setup is complete, the regular deployment-specific Backup and Recovery process can be initiated. More details are described in the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to Oracle Database Backup and Recovery User's Guide.
To back up the installation to this point, follow these steps:
Back up the directory tier:
Shut down the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:
ORACLE_INSTANCE/bin/opmnctl stopall
Create a backup of the Middleware home on the directory tier. On Linux, as the root user, type:
tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
Create a backup of the Instance home on the directory tier as the root user:
tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
Start up the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:
ORACLE_INSTANCE/bin/opmnctl startall
Perform a full database backup (either a hot or cold backup). Oracle recommends that you use Oracle Recovery Manager.
Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory. On Linux, type:
tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver
Note:
Create backups on all machines in the directory tier by following the steps shown in this section.
For more information about backing up the directory tier configuration, see Section 20.6, "Performing Backups and Recoveries."
|
 Copyright © 2004, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|