Oracle® Fusion Middleware Release Notes for Identity Synchronization for Windows 6.0 Service Pack 1 11g Release 1 (11.1.1.7.0) Part Number E28964-01 |
|
|
PDF · Mobi · ePub |
This chapter provides information about tasks you must complete before you can start the Identity Synchronization for Windows 6.0 Service Pack 1 installer. The chapter contains the following sections:
This release of Identity Synchronization for Windows 6.0 Service Pack 1 contains updated versions of the JDK, NSS and Message Queue components. No change has been made to Identity Synchronization for Windows 6.0 Service Pack 1 itself.
This release of Identity Synchronization for Windows 6.0 Service Pack 1 is available and downloadable only as a component of Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) and later releases.
Customers running Identity Synchronization for Windows 6.0 SP1 through Directory Server Enterprise Edition 7.0 should upgrade to the Identity Synchronization for Windows 6.0 Service Pack 1 that is bundled with Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0).
Identity Synchronization for Windows software requires the following hardware.
Table 1-1 Identity Synchronization for Windows Hardware Requirements
Component | Platform Requirement |
---|---|
RAM |
512 MB for evaluation purposes wherever components are installed. More memory is preferred. |
Local disk space |
400 MB disk space for minimal installation alongside Directory Server Enterprise Edition. |
Before you attempt to install Identity Synchronization for Windows, be sure to resolve the following platform and sofware issues:
Supported operating systems may require additional software. See Table 1-2, "Supported Platforms and Additional Required Software".
Your operating system may have additional patch requirements. See Table 1-3, "Minimum Patch Level Requirements".
Installing Identity Synchronization for Windows 6.0 Service Pack 1 on an unsupported platform will have unpredictable results. Installing Identity Synchronization for Windows 6.0 Service Pack 1 in a Solaris zone is not supported.
Windows Server 2008 is not a supported installation platform for Identity Synchronization for Windows. So, although you can synchronize with Active Directory 2008 data, installing this release of Identity Synchronization for Windows 6.0 Service Pack 1 on Windows Server 2008 or 2008R2 is not supported.
The following table lists supported platforms for Identity Synchronization for Windows.
Table 1-2 Supported Platforms and Additional Required Software
Supported OS Versions | Architecture | Additional Required Software |
---|---|---|
Solaris 10 for SPARC, x86, and AMD 64 architectures |
64–bit |
For the latest patch information, see My Oracle Support (
|
Solaris 9 for SPARC and x86 architectures |
64–bit and 32–bit |
For the latest patch information, see My Oracle Support (
|
Red Hat Enterprise Linux Advanced Server 4.0 Update 2 for x86 architecture |
64–bit and 32–bit |
The following compatibility libraries are recommended:
The following compatibility library is required:
Note that even when running Red Hat on a 64-bit system, 32-bit system libraries are installed. These compatibility libraries are available from Red Hat media or from |
Windows 2003 |
32–bit |
Service Pack 1 See Section 1.5.1, "Add Missing LICENSE.txt file on Windows," and Section 1.5.6, "Resolve DNS Dependencies." |
Note:
Identity Synchronization for Windows is not supported on SUSE or HP-UX systems. For these and for other unsupported operating systems, you should investigate using Oracle Directory Integration Platform. See Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform for more information.
See also the Oracle Fusion Middleware 11gR1 Certification Matrix (http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls
).
To install Identity Synchronization for Windows, you must provide credentials for the following.
Configuration Directory Server
Directory Server to be synchronized
Active Directory
See Chapter 3, Installing Core, in Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide for details.
In addition, you must have the following privileges to install Identity Synchronization for Windows.
On Solaris and Red Hat systems, you must install as root.
On Windows systems, you must install as Administrator.
Note:
When you enter passwords by using the text-based installer, the program automatically masks the passwords so passwords are not echoed in the clear. The text-based installer is supported on Solaris and Red Hat systems only.
You can run Identity Synchronization for Windows in a firewall environment. The following sections list the server ports that you must expose through the firewall.
By default, Message Queue uses dynamic ports for all services except for its port mapper. To access the Message Queue broker through a firewall, the broker should use fixed ports for all services.
After installing the core, you must set the imq.<service_name>.<protocol_type>.port broker configuration properties. Specifically, you must set the imq.ssljms.tls.port option. See the Message Queue documentation at http://www.oracle.com/technetwork/indexes/documentation/legacy-glassfish-message-queue-306290.html
for more information.
The Identity Synchronization for Windows installer must be able to communicate with the Directory Server acting as the configuration directory.
If you are installing an Active Directory connector, the installer must be able to contact Active Directory's LDAP port, 389.
If you are installing a Directory Server connector or a Directory Server plug-in (subcomponent), the installer must be able to contact the Directory Server LDAP port, default 389.
The Message Queue, system manager, and command line interface must be able to reach the Directory Server where the Identity Synchronization for Windows configuration is stored.
The Identity Synchronization for Windows console must be able to reach the following:
Active Directory over LDAP, port 389, or LDAPS, port 636
Active Directory Global Catalog over LDAP, port 3268, or LDAPS, port 3269
Each Directory Server over LDAP or LDAPS
Administration Server
Message Queue
All connectors must be able to communicate with Message Queue. In addition, the following connector requirements must be met.
The Active Directory connector must be able to access the Active Directory Domain Controller over LDAP, port 389, or LDAPS, port 636.
The Directory Server connector must be able to access Directory Server instances over LDAP, default port 389, or LDAPS, default port 636.
Identity Synchronization for Windows 6.0 Service Pack 1 is a part of the Oracle Directory Server Enterprise Edition 11g R1 (11.1.1.7.0) bundle. The Directory Server Enterprise Edition Certification Matrix, which contains a frequently updated list of hardware and software compatible with Directory Server Enterprise Edition, is available at http://www.oracle.com/technetwork/middleware/downloads/odsee-11gr1certmatrix-161592.xls
Go to the download page for Oracle Identity Management 11g at http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html
.
Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) is available in zip distribution for all supported platforms.
Use the following table to identify the required patch numbers for each supported operating system.
The following table lists the contents of the ODSEE_Identity_Synchronization_for_Windows
directory after you have unzipped the Identity Synchronization for Windows download bundle.
Table 1-4 Contents of ODSEE_Identity_Synchronization_for_Windows Directory
Operating System | Identity Synchronization for Windows Files |
---|---|
Solaris 9, 10 SPARC (64-bit) |
HotFix-6.0SP1_COMBO_5_20110722 HotFix-6.0SP1_COMBO_5_20110722/README HotFix-6.0SP1_COMBO_5_20110722/isw-generic.zip README.txt 144589-01/isw.6.0.sp1.solaris.sparc.zip 144589-01/README.144589-01 144589-01/patchinfo jdk/* mq4_3-installer/* packages/SunOS5.9/SUNWjss packages/SunOS5.9/SUNWpr packages/SunOS5.9/SUNWprd packages/SunOS5.9/SUNWtls packages/SunOS5.9/SUNWtlsu patches/125358-15 patches/SunOS5.10/119213-27 patches/SunOS5.9/119211-27 |
Solaris 9 x86 (32-bit) and Solaris 10 x86, AMD64, I64 (64-bit) |
HotFix-6.0SP1_COMBO_5_20110722 HotFix-6.0SP1_COMBO_5_20110722/README HotFix-6.0SP1_COMBO_5_20110722/isw-generic.zip README.txt 144590-01/isw.6.0.sp1.solaris.x86.zip 144590-01/README.144590-01 144590-01/patchinfo jdk/* mq4_3-installer/* packages/SunOS5.9/SUNWjss packages/SunOS5.9/SUNWpr packages/SunOS5.9/SUNWprd packages/SunOS5.9/SUNWtls packages/SunOS5.9/SUNWtlsu patches/125359-15 patches/SunOS5.10/119214-27 patches/SunOS5.9/119212-27 |
Linux RH 4.0U2 (x86 & AMD64) (32-bit) |
HotFix-6.0SP1_COMBO_5_20110722 HotFix-6.0SP1_COMBO_5_20110722/README HotFix-6.0SP1_COMBO_5_20110722/isw-generic.zip README.txt 144591-01/* jdk/* mq4_3-installer/* packages/* patches/RHEL4.0/121656-26 |
Windows (Server Enterprise & Standard Edition) |
HotFix-6.0SP1_COMBO_5_20110722 HotFix-6.0SP1_COMBO_5_20110722\README HotFix-6.0SP1_COMBO_5_20110722\isw-generic.zip 144592-01\README.144592-01 144592-01\LEGAL_LICENSE.TXT 144592-01\isw.6.0.sp1.windows.zip jdk\jdkfb-1_5_0_29-windows-i586-p.exe mq4_3-installer\* README.txt |
The following is a checklist of issues you must resolve before you run the Identity Synchronization for Windows 6.0 Service Pack 1 installer. These tasks are not optional, they are required for a successful installation. Details for each task are included in sections immediately following the checklist.
When you install Identity Synchronization for Windows 6.0 Service Pack 1 on a Windows system, the core installation fails when installing the bundled Administration Server.
The Administration Server installation checks for the presence of a LICENSE.txt
file in the same directory as the setup.exe
file associated with the administration server in the admserv_package
subtree.To work around this issue, create a file named LICENSE.txt
file in same directory where the setup.exe
file associated with the administration server in the admserv_package
subtree is located.
Create a suffix such as ou=isw-config
for storing Identity Synchronization for Windows configuration data. In production environments, create this suffix on a Directory Server other than the Directory Server that contains your user data. See the chapter that suits your need:
For Windows, see Chapter 5, "Creating Required Data Stores in Directory Server."
For Solaris, see Chapter 7, "Creating Required Data Stores in Directory Server."
For Linux, see Chapter 9, "Creating Required Data Stores in Directory Server."
The following is a list of properties for which you must enter values when running the Identity Synchronization for Windows 6.0 Service Pack 1 installer. In the following table, an asterisk (*) indicates that a default value is automatically provided.
Table 1-5 Property Values Required by Identity Synchronization for Windows Core Installation
Attribute | Description |
---|---|
Configuration Directory Host |
Fully qualified domain name (FQDN) of a Directory Server instance (affiliated with the local Administration Server) where Identity Synchronization for Windows configuration information will be stored |
Configuration Directory Port* |
Port where the Identity Synchronization for Windows configuration directory is installed. (Default port is 389) |
Configuration Root Suffix |
Root suffix in which to store the Identity Synchronization for Windows configuration |
Administrator User ID* |
Configuration directory Administrator's user ID |
Administrator Password |
Configuration directory Administrator's password |
Configuration Password |
Password that will be used to encrypt sensitive parts of the configuration. You must enter this password when you use the console, use command line utilities, or install other components. |
Java Home* |
Location of the Java Virtual Machine to be used by installed components. Make sure this value matches the JAVA_HOME value. See Section 1.5.5, "Verify JDK Compatibility" for the required JDK release level included with Identity Synchronization for Windows. |
Server Root Directory* |
Path and directory name of the Administration Server installation server root. The Console will be installed in this location. |
Installation Directory (on Solaris or Linux platforms) |
Path and directory name of the Identity Synchronization for Windows installation directory. Core binaries, libraries, and executable will be installed in this directory. |
Instance Directory (on Solaris or Linux platforms) |
Path and directory name of the Identity Synchronization for Windows instance directory. Configuration information that changes (such as log files) will be stored in this directory. |
Message Queue Installation Directory |
Location of an existing Message Queue instance and fully qualified host name and port of the new Broker instance. |
Message Queue Configuration Directory |
Path and directory name of the Message Queue instance directory |
Message Queue Local Host Name |
Fully qualified domain name (FQDN) of the local host machine. |
Broker Port Number* |
Unused port number for the Message Queue broker to use. (Default port is 7676) |
Active Directory Host* |
Fully qualified domain name (FQDN) of the host that stores Active Directory configuration data. |
Active Directory Port |
Port number of the host that stores Active Directory user data |
Active Directory User |
User with permission to read and modify Active Directory entries. If object deletion is configured, then the user must be a domain administrator. |
Active Directory User password |
Password of the user with permission to modify Active Directory configuration |
The JDK must be installed from RPM, and it must be first in the path. Insert the following before /usr/bin
in your environments PATH:
/usr/java/jdk<java_version>/bin
For example:export PATH=/usr/java/jdk1.5.0_29/bin:$PATH
Before starting the Java console, any installers or uninstaller, set the LD_LIBRARY_PATH in your environment. For example:
LD_LIBRARY_PATH=/opt/sun/private/lib:/opt/sun/isw/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
A compatible JDK version must be installed properly to ensure a successful Identity Synchronization for Windows installation. Follow these guidelines.
For Identity Synchronization for Windows 6.0 and 6.0 SP1 (including ODSEE 11.1.1.3.0), use JDK 1.5.0_9.
For Identity Synchronization for Windows bundled in ODSEE 11.1.1.5.x and 11.1.1.7.x, use JDK 1.5.0_29.
On Linux, install the JDK from the RPM.
Set JAVA_HOME to your installed JDK before starting installation or starting the Java console.
On Solaris, install all the included JDK packages, starting with SUNWj5rt
and SUNWj5rtx.
Install SUNWj5cfg
last.
Identity Synchronization for Windows uses the first entry from the hosts file. In the hosts file, be sure to put the FQDN of the Identity Synchronization for Windows host server immediately following the IP address. This eliminates host-only references that come up during installation or configuration. For example:
1192.168.0.10
host.example.com host host-alias
The system Identity Synchronization for Windows is being installed on must be able to resolve its domain and host fully-qualified domain name (FQDN).
Any Windows host that will have Identity Synchronization for Windows core installed on it must be a member of an Active Directory domain. Installation on a workgoup system is not supported.
The Linux system ISW must have the rpm-build tools and compat-lib*
libraries present as provided by the "developer" standard bundle and "legacy-developer" bundles from the RHEL/OEL sofware additions. These are available from the installation media. The compat-libstdc++296.i386
and libtermcap.i386
libraries must be installed
JDK must be installed from the RPM. See the Linux section in Section 1.5.4, "(Linux Only) Verify Environment Settings."
Identity Synchronization for Windows must be installed as root. You can install Identity Synchronization for Windows as root and then reconfigure Identity Synchronization for Windows to run as a non-root user after initial installation and configuration are complete.
In the course of upgrading, migrating or installing Identity Synchronization for Windows, you will use the administration console to complete Identity Sychronization for Windows configuration. Before you use the Java console for the first time, install the included patch bundle described during the install process for each platform. See Section 2.1, "Installing the Critical ISW Patch Set."
This section provides the following instructions:
In the course of installing or migrating Identity Synchronization for Windows, you may want to use the administration console.
To open the administration console, run the following command:
On Solaris
/var/mps/serverroot/startconsole
On Linux
/var/Sun/mps/startconsole
On Windows
C:\Program Files\Sun\MPS\startconsole.exe
Starting and stopping synchronization does not start or stop individual Java processes, daemons, or services. Once you begin synchronization, stopping synchronization only pauses the operation. When you restart synchronization, the program resumes synchronization from where it stopped and no change will be lost.
In the Oracle Directory Server Enterprise Edition Server Console navigation pane, select the Identity Synchronization for Windows instance.
When the Identity Synchronization for Windows pane is displayed, click the Open button in the upper right corner.
When you are prompted, enter the configuration password.
Select the Tasks tab.
You can use the startsync
or stopsync
subcommands from the command line.
/opt/SUNWisw/bin/idsync
/opt/sun/isw/bin/idsync
C:\Program Files\Sun\MPS\isw instance-name\bin\idsync
To start synchronization, open a terminal window (or a Command Window) and type the idsync startsync
command as follows:
idsync startsync [-D bind-DN] -w bind-password | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path]
idsync startsync -w admin_password -q configuration_password
The following table describes the arguments that are unique to startsync
.
You can use the stopsync
subcommand to stop synchronization from the command line.
To stop synchronization, open a terminal window (or a Command Window) and type the idsync stopsync
command as follows:
idsync stopsync [-D bind-DN] -w bind-password | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path]
idsync stopsync -w admin_password -q configuration_password
Identity Synchronization for Windows and Message Queue are installed as daemons on Solaris and Linux, and as services on Windows. These processes start automatically when the system boots, but you can also start and stop them manually.
Note:
When starting or restarting services, be sure you start the services in this order: first start Message Queue, then start Identity Synchronization for Windows and Directory Server.
Start Message Queue.
From the command line, enter /etc/init.d/
imq start
.
From the command line, enter /etc/init.d/
imq start
.
Select Start > Settings > Control Panel > Administrative Services.
When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.
Select Message Queue Broker, and then select Action > Start from the menu bar.
From the command line, enter the net
command to control the services.
To check the Message Queue status:
You can verify that Message Queue is stopped on Linux or Solaris.
# cd /usr/jdk/jdk1.5.0_29/bin # jps -mlv | grep -i broker
You will see Java command line with broker
in the name return if Message Queue is running.
The jps
command is part of the JDK installation and is located in the bin
directory of your JDK. For example: /usr/java/jdk1.5.0_29/bin/jps
Use the windows services management console to monitor the status of the IMQ process. The services management console is under Administrative Tools in the Windows Start menu. You can also access it from Administrative Tools in the Control Panel.
Start Identity Synchronization for Windows .
From the command line, enter /etc/init.d/
isw start
.
From the command line, enter /etc/init.d/
isw start
.
Select Start > Settings > Control Panel > Administrative Services.
When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.
Select Identity Synchronization for Windows and then select Action > Start from the menu bar.
From the command line, enter the net
command to control the services.
Start Directory Server Enterprise Edition.
# install-root/dsee7/bin/dsadm start instance-path
C:\ install-root\dsee7\bin\dsadm start instance-path
If any single service among Identity Synchronization for Windows, Message Queue, or Directory Server Enterprise Edition is down for longer than 15 minutes, then you must stop and then restart all three services.
Stop Directory Server Enterprise Edition.
# install-root/dsee7/bin/dsadm stop instance-path
C:\ install-root\dsee7\bin\dsadm stop instance-path
Stop Identity Synchronization for Windows.
Note:
Pause 30 seconds after stopping the service before starting it again. Connectors can take several seconds to cleanly shut themselves down. You can Telnet to the Identity Synchronization for Windows port to determined whether it stopped.
From the command line, enter /etc/init.d/i
sw stop
.
From the command line, enter /etc/init.d/i
sw stop
.
Select Start > Settings > Control Panel > Administrative Services.
When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.
Select Identity Synchronization for Windows and then select Action > Stop from the menu bar.
Stop Message Queue.
Note:
Pause 30 seconds after stopping the service before starting it again. Connectors can take several seconds to cleanly shut themselves down. You can Telnet to the Message Queue port to determined whether it stopped.
From the command line, enter /etc/init.d/
imq stop.
From enter /etc/init.d/
imq stop.
Select Start > Settings > Control Panel > Administrative Services.
When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.
Select Message Queue, and then select Action > Stop from the menu bar.
Verify that Message Queue is stopped by checking the output of the jps
command.
# cd /usr/jdk/jdk1.5.0_29/bin # jps -mlv | grep -i broker
Use the Windows services management console (MMC) to monitor the status of the IMQ process. To start the MCC, from the Start menu, go to Administrative Tools. As an alternative, you can go Control Panel > Administrative Tools.