The Single Host topology is recommended only for test environments, whereas the Enterprise topology, which is more complex, is suitable for staging, QA, and production deployments.
This section contains the following topics:
The Oracle Identity Management Provisioning Wizard and related tools were developed to automate Oracle Identity Management Provisioning and reduce the time required to configure Oracle Identity Management for Oracle Fusion Applications.
MANDATORY: All server machines in an Oracle Identity Management Provisioning environment must be running the same operating system major version and patch level. Heterogeneous operating system deployments are not supported.
Before provisioning Oracle Identity Management, ensure that the following tasks have been completed:
Follow the instructions in Install the Oracle Identity Management and Oracle Fusion Applications Provisioning Frameworks, and successfully install the Oracle Identity Management Provisioning framework.
Create an Oracle Identity Management provisioning profile as described in Create an Oracle Identity Management Provisioning Profile.
The Oracle Identity Management Provisioning process itself consists of two tasks:
Running the Oracle Identity Management Provisioning Wizard, a graphical user interface that uses an interview process to gather information about the environment and store it in a Provisioning Response file. This task is described in Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard.
Executing command-line tools to set up the environment on the selected host machines. In many cases, the progress of the command-line tools can be monitored by using the wizard. This task is described in Perform Provisioning by Running the Provisioning Commands.
After provisioning, perform the tasks in Perform Mandatory Oracle Identity Management Post-Installation Tasks.
Before performing provisioning, provide information about the topology to the Oracle Identity Management Provisioning Wizard. Once all the necessary input has been provided, the wizard creates a provisioning file called provisioning.rsp that is used to perform the provisioning operation.
Even if a single node install is selected, the screens in the Oracle Identity Management Provisioning Wizard show multinode items such as Virtual Host Configuration and Load Balancer Configuration. Ignore the unused fields.
Before running the provisioning tool, set the following environment variables:
Set JAVA_HOME to: REPOSITORY_LOCATION/jdk
On UNIX systems, set the DISPLAY environment variable to an active and authorized display.
To start the Oracle Identity Management Provisioning Wizard, execute the following commands from: IDMLCM_HOME/provisioning/bin, where IDMLCM_HOME is the place where the Oracle Home Directory for Oracle Identity Management was installed, using the installation script for the Oracle Identity Management Provisioning Wizard and Oracle Identity Management Patching Tools, as described in Install the Oracle Identity Management Lifecycle Tools.
Linux or UNIX:
./idmProvisioningWizard.sh
idmProvisioningWizard.bat
When the wizard starts, proceed as described in the following sections:
Use the Welcome page to learn more about the wizard, including some prerequisites for using it.
The Welcome page provides a brief overview of the wizard and lists some requirements that must be met.
Click Next to continue.
If the Specify Inventory Directory page is presented, proceed as described in Step 2 in Install the Oracle Identity Management Lifecycle Tools.
Click OK to continue.
Select Create a New Identity Management Environment Provisioning Response File to create a response file for the first time.
Update an Existing Identity Management Environment Provisioning Response File is not supported.
Click Next to continue.
The checkbox should be unchecked, as this feature is not supported.
Click Next to continue.
The Product List page is purely informational. It displays the list of products that are installed and configured by the Oracle Identity Management Provisioning Wizard.
Click Next to continue.
Specify descriptive information to identify this response file. This description is not associated in any way with the executable plan file, or the summary file, saved at the end of the response file creation process.
Response File Name: The Oracle Identity Management Provisioning Wizard provides the default title Oracle Identity Management Provisioning Response File. This file can be changed.
Response File Version: The Oracle Identity Management Provisioning Wizard provides a default value, which can be change. Use this to keep track of different file versions.
Created By: Defaults to the operating system user who invoked the Provisioning Wizard. Set when the response file is initially created and cannot be modified for the current response file.
Created Date: Defaults to the date that the response file was initially created. Set when the response file was initially created and cannot be modified for the current response file.
Response File Description: Provide a description of this response file. This is an optional field.
Click Next to continue.
Use the Install Location Configuration page to supply the location of the various directories required for installation and configuration actions.
Installation and Configuration
Software Repository Location: Specify the location of the software repository, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it. This location must contain a folder named installers, which contains the software to install.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Storage tab, Temporary Shared Storage table, Provisioning Repository Location row.
Software Installation Location: Specify the location on shared storage for the Middleware Homes, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it. In a multinode scenario, this folder must be shared across all machines.
Ensure that this directory path is 45 characters or fewer in length. A longer path name can cause errors during Oracle Identity Management provisioning.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Storage tab, Install Directories table, IDM Software Installation Location row.
Shared Configuration Location: Specify the shared configuration location, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it.
In a single host environment, the shared configuration location is not actually shared.
For the Enterprise topology, this is where the artifacts to be shared across all hosts, such as keystores, scripts to start/stop services, and life cycle management information, are created. In a multi-node scenario, this folder must be shared across all machines.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Storage tab, Install Directories table, IDM Shared Configuration Location row.
Enable Local Configuration Location: Select this option only when provisioning the Enterprise topology.
Depending on the decision made during the planning phase this option is available in the Oracle Fusion Applications Installation Workbook, Storage tab, Install Directories table, IDM Local Configuration Location row. If the value is not specified in the Oracle Fusion Applications Installation Workbook, clear this checkbox.
Local Configuration Location: Specify the location for the local domain directory to be set up, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it. This field is required if the option Enable Local Applications Configuration is selected. The specified directory must initially be empty. This folder should not be shared across hosts.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Storage tab, Install Directories table, IDM Local Configuration Location row.
Click Next to continue.
Use the Node Topology Configuration page to select configuration options and provide information about hosts and products.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Environment tab, Environment Info table, IDM Topology Type row.
Single Host: Select to provision a simple, single host topology. This topology is recommended only for test and development environments.
Host Name: Specify the host where Oracle Identity Management is provisioned, as a fully-qualified host name.
EDG Topology: One Node: Select to install Oracle Identity Management on a single host.
Product(s): This field cannot be edited. It specifies the product that be installed and configured on the host.
Host Name: Specify each host where the corresponding product is provisioned, as a fully-qualified host name.
EDG Topology: Two Node: Select to provision a multiple host topology. This option configures two instances of the product. Selecting this option provisions a highly-available environment.
Product(s) - First and Second Instance: This field cannot be edited and specifies the instance of the product that is installed and configured on the host.
Host Name: Specify the host where the first and second instance of these applications are provisioned, as a fully-qualified host name. To install Oracle Identity Management on a single host, specify the same host name for all instances.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Topology tab:
Abstract Hostname (or real Hostname if no Abstract) from Topology table row that matches the following components:
IDM Directory
IDM Identity and Access
IDM WebTier
Click Next to continue.
Use the Virtual Hosts Configuration page to select virtual host configuration options. If Single Host is selected, the Virtual Hosts Configuration page cannot be edited.
Associate the Administration Server, Oracle Identity Manager and Oracle SOA Suite servers with virtual IP addresses. If Configure second application instances is selected on the Node Topology Configuration page, having a virtual IP address allows the Administration Server to be started on a different host if the primary host fails. Virtual IP addresses and virtual host names are required to enable server migration on Oracle Identity Manager andOracle SOA Suite servers. Server migration must be configured for the Oracle Identity Manager and Oracle SOA Suite managed servers for high availability.
Specify the configuration settings for the virtual hosts required by Oracle Fusion Applications.
Configure Virtual Hosts?: Select to configure virtual hosts.
Server: Identifies each server.
Virtual Host Name: Specify the virtual host name for the server.
Tip:
The value for the Admin Server is available in the Oracle Fusion Applications Installation Workbook, Network - Virtual Hosts tab, AdminServer Virtual Hosts/VIPs table, IDMDomain AdminServer row.
For the Enterprise topology, specify the virtual host name from the Oracle Fusion Applications Installation Workbook for each managed server in the topology. For example:
Admin Server: ADMINVHN.mycompany.com
Click Next to continue.
Use the Common Passwords page to select a common password.
Common Identity Management Password: Specify a password to be used for all administrative users in the Oracle Identity Management Suite and for keystores. The password must be at least eight characters long and must contain at least one uppercase letter and at least one number.
Confirm Common Identity Management Password: Reenter the password.
Click Next to continue.
Use the OID Configuration page to select configuration options for Oracle Internet Directory.
Oracle Internet Directory Configuration Parameters
Identity Store Realm DN: Specify the Distinguished Name of the Oracle Internet Directory realm, for example: dc=mycompany,dc=com.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Identity Management tab , LDAP table, Identity Store Realm DN row.
Authentication Directory Type
Select one of the following authentication directories:
Oracle Internet Directory
Oracle Virtual Directory
Click Next to continue.
Use the ODSM Configuration page to select configuration options for Oracle Directory Services Manager (ODSM). Information about the second host appears on the page for EDG topology or if Configure Second Instances Topology was selected in the Node Topology Configuration Page.
ODSM Host: This field is purely informational. The value is determined by the host entered in the Node Topology Configuration Page.
Port: Specify the port to be used by the first ODSM instance.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Ports tab, Identity Management Port Numbers table, IDMDomain ODSM row.
Second ODSM Host: This field is purely informational. The value is determined by the host entered in the Node Topology Configuration Page.
Second ODSM Port: Specify the port to be used by the second ODSM instance.
Click Next to continue.
Use the OHS Configuration page to change the installation ports used for Oracle HTTP Server (OHS). Information about the second host appears on the page only if Configure Second Instances Topology was selected in the Node Topology Configuration Page.
Oracle HTTP Server for Identity Management Configuration Parameters
Host: This field is purely informational. The value is determined by the host entered in the Node Topology Configuration Page.
Port: Specify the non-SSL port number to be used for the first instance of the Oracle HTTP Server.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Ports tab, Identity Management Port Numbers table, IDM Oracle HTTP Server row.
SSL Port: Specify the SSL port number to be used for the first instance of the Oracle HTTP Server.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Ports tab, Identity Management Port Numbers table, IDM Oracle HTTP Server SSL row.
Instance Name: This field is purely informational. It displays the instance name of the first Oracle HTTP Server.
Second OHS Host: This field is purely informational. The value is determined by the host entered in the Node Topology Configuration Page.
Second OHS Port: Specify the non-SSL port number to be used for the second instance of the Oracle HTTP Server.
Second OHS SSL Port: Specify the SSL port number to be used for the second instance of the Oracle HTTP Server.
Second Instance Name: This field is purely informational. It displays the instance name of the second Oracle HTTP Server.
Protocol: This field is purely informational.
Click Next to continue.
Use the OAM Configuration page to select installation options for Oracle Access Manager. Information about the second host appears on the page only if Configure Second Instances Topology was selected in the Node Topology Configuration Page.
Oracle Access Manager Configuration Parameters
OAM Host: This field is purely informational. The value is determined by the host entered in the Node Topology Configuration Page.
OAM Port: Specify the port number of the first instance.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Ports tab, Identity Management Port Numbers table, IDMDomain OAM row.
Second OAM Host: This field is purely informational. The value is determined by the host entered in the Node Topology Configuration Page.
Second OAM Port: Specify the port number of the second instance.
OAM Transfer Mode: Specify the transfer mode to be used by Oracle Access manager. This must be Simple on all platforms.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Identity Management tab, OAM table, OAM Transfer Mode row.
16708977
Cookie Domain: Specify the cookie domain. For example: .mycompany.com
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Environment tab, Environment Info table, Domain name row.
Click Next to continue.
The same database instance is used but pass the two distinct service names created: one service name for OID and another for OAM.
Use the IDM DB Configuration page to enter information about the database that contains the schemas for Oracle Internet Directory and Oracle Access Manager.
OID Schema Details
Service Name: Specify the service name of the database service, for example: oiddb.mycompany.com
Schema User Name: This field specifies the name of the schema user, ODS. This name cannot be changed.
Schema Password: For creating the ODS schema, specify the password used when creating the Oracle Internet Directory schema using the Oracle Fusion Middleware RCU.
OAM Schema Details
Service Name: Specify the service name of the database service, for example: oamdb.mycompany.com .
Schema User Name: This field specifies the name of the schema user, FA_OAM. This name cannot be changed.
Schema Password: For creating the FA_OAM schema, specify the password used when creating the Oracle Internet Directory schema using the Oracle Fusion Middleware RCU.
Single DB: Select if a single Oracle Database is used.
Host VIP Name: Specify the host name of the Oracle Database.
Listener Port: Specify the database listener port.
RAC DB: Select if an Oracle RAC Database is used.
Host VIP Name: Specify the host name of the RAC database instance.
Listener Port: Specify the database listener port.
Instance Name: Specify the database instance name, for example, idmdb1.
Click Next to continue.
The Load Balancer page is editable only if the EDG topology option has been selected.
The Load Balancer page is arranged in the following sections:
HTTP/HTTPS Load Balancer Details
LDAP Load Balancer Details
HTTP/HTTPS Load Balancer Details
The HTTP/HTTPS Load Balancer Details section of the Load Balancer Configuration page enables to enter configuration information about the HTTP/HTTPS Load Balancer.
Configure LBR Endpoints: Select this option to configure the Admin, Internal Callbacks, and SSO LBR endpoints for a single-node topology.
In a three-node topology, the Configure LBR Endpoints option is selected by default. In a six-node enterprise deployment topology, the option is selected by default and cannot be deselected.
Endpoint: This column lists the HTTP/HTTPS Load Balancer endpoints. These are:
Admin: Admin Virtual Host, for example: admin.mycompany.com
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Virtual Hosts tab, HTTP LBR Endpoints table, IDM Admin row, Internal Name and Internal Port columns.
Internal Callbacks: Internal call back virtual host, for example: Identity Managementinternal.mycompany.com
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Virtual Hosts tab, HTTP LBR Endpoints table, IDM row, Internal Name and Internal Port columns.
SSO: Main application entry point, for example: sso.mycompany.com.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Virtual Hosts tab, HTTP LBR Endpoints table, IDM row, External Name and External Port columns.
Virtual Host Name: Specify the virtual host name that corresponds with this endpoint. Examples are shown in the Endpoint descriptions.
Port: Specify the port used by the endpoint. This port is either HTTP or HTTPS, depending on whether the SSL box is checked or not.
If the Configure LBR Endpoints option has not been selected, the virtual host name and port for the three endpoints are automatically populated with the Oracle HTTP Server host name and port 7777.
SSL: Select this box if this endpoint uses SSL. This box is editable only for Admin endpoint.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, SSL and Certificates tab, SSL Communication table, End User - -> IDM Admin HTTP Endpoint row.
LDAP Load Balancer Details
The LDAP Load Balancer Details section of the Load Balancer Configuration page enables to enter configuration information about the LDAP Load Balancer.
The OID Endpoint for Identity Store field is not editable because the Identity Store and Policy Store is the same Oracle Internet Directory. See Identity Store Planning.
Tip:
This value is available in the Oracle Fusion Applications Installation Workbook, Network - Virtual Hosts tab, LDAP Endpoints table.
Endpoint: This column lists the LDAP Load Balancer endpoints.
Virtual Host Name: Specify the virtual host name that corresponds with this endpoint.
Port: Specify the port used by the endpoint.
SSL Port: Specify the SSL port used by the endpoint.
Click Next to continue.
Use the Summary page to view a summary of the selections and enter additional information.
Response File Name: Provide the name of the response file to be created.
Provisioning Summary: Provide the name of the provisioning summary file to be created.
Directory: Specify the directory to save the Provisioning Response File in.
The process described in this section creates a provisioning file in the directory specified on the Summary screen in the Summary Page. This process also creates a folder named responsefilename_data, for example: provisioning_data. This folder contains cwallet.sso, which has encryption and decryption information.
The provisioning response file and the folder containing cwallet.sso must be available to each host in the topology. If a shared provisioning directory exists, then these files are automatically available. If, however, the deployment directory has not been shared, perform a manual copy of the deployment response file (provisioning.rsp) and the folder containing cwallet.sso (provisioning_data) to the same location on the DMZ hosts, WEBHOST1 and WEBHOST2.
WARNING: If the deployment response file and the folder containing cwallet.sso are not copied to the DMZ hosts, the deployment process might fail in the preverify phase.
After creating the provisioning response file, use it to provision an Oracle Identity Management environment.
There are eight stages to provisioning. These stages must be run in the following order:
Preverify - This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured.
Install - This installs all of the software and related patches present in Provisioning Repository.
Preconfigure - This does the following:
Creates OID and seeds it with Users/Groups.
Configures ODSM
Creates the WebLogic Domain
Creates OHS instance
Configure - This does the following:
Starts managed servers as necessary
Associates OAM with OID
Configure-Secondary - This does the following:
Integrates Weblogic Domain with Web Tier
Register Web Tier with domain
Postconfigure - This does the following:
Register OID with Weblogic Domain
SSL Enable OID
Tune OID
Generate OAM Keystore
Configure OIF
Configure WebGate
Startup - This starts up all components in the topology
Validate - This performs a number of checks on the built topology to ensure that everything is working as it should be.
Specify the stage using the -target option to the runIDMProvisioning.sh or runIDMProvisioning.bat command. Each stage must be completed before the next stage can begin. Failure of a stage necessitates a cleanup and restart.
It is important to take a backup of the filesystems and databases at the following points:
Prior to starting provisioning.
At the end of the installation phase.
Upon completion of provisioning
It is not possible to restore a backup at any phase other than those three.
Provisioning is accomplished by using either the command line or the Oracle Identity Management Provisioning Wizard.
Process hosts in the following order. Each provisioning phase needs to be run only once on each host, even if multiple products are configured on a single host.
LDAP Host 1
LDAP Host 2 (if using the EDG topology with the Configure second application instances option)
Identity and Access Management Host 1
Identity and Access Management Host 2 (if using the EDG topology with the Configure second application instances option)
Web Host 1
Web Host 2 (if using the EDG topology with the Configure second application instances option)
During installation, the Provisioning Wizard performs actions that are associated with the Oracle Identity Management components previously installed. This section contains a summary of those actions, arranged by the installation phase where the action is performed.
Provisioning phases
The wizard performs the following actions:
Preverify phase
Verifies the existence of the system administrators group (if it was declared as existing during the wizard interview) and the existence of the designated super user in the identity store.
Preconfigure phase
Prepares the Oracle Identity Management components for configuring as follows:
Uploads the LDIF files to the identity store. These files contain entries that represent the application administrator groups used to update the identity store.
Creates the system administrator group (according to what is indicated in the interview).
Makes the super user a member of the administrators group and all the application family directory groups.
Seeds the bootstrap of AppID and gives it membership in the system administrator group.
Configure phase
Configures the Oracle Identity Management components as follows:
Creates the Oracle Fusion Applications domains using the default Oracle WebLogic Server template, with the bootstrap AppID as an administrator.
Disables the default authenticator and enables the LDAP authenticator.
Starts the Oracle WebLogic Server domain using the bootstrap AppID.
Postconfigure phase
Following configuration, the system administrator groups are assigned the appropriate enterprise roles at the product family level. Therefore, the super user has:
Administrator privileges for all Oracle WebLogic Server domains and all middleware
Functional setup privileges for all Oracle Fusion Applications offerings
Administration privileges to Oracle Fusion Applications offerings, excluding transactional privileges
Provisioning is accomplished by using either the command line or the Oracle Identity Management Provisioning Wizard.
This section contains the following topics:
To use the command line, run the command runIDMProvisioning.sh or runIDMProvisioning.bat a number of times, specifying the provisioning stage with the -target option.
MANDATORY: complete each command, in order, before running the next command.
Before running the provisioning tool, set the following environment variables:
Set JAVA_HOME to: REPOSITORY_LOCATION/jdk
Check whether the TNS_ADMIN environment variable is set on the Oracle Internet Directory hosts.
env | grep TNS_ADMIN
If it is set, unset it.
Bash
unset TNS_ADMIN
Csh
unsetenv TNS_ADMIN
On Linux systems, set the DISPLAY environment variable to an active and authorized display.
On Solaris platforms, unset the DISPLAY environment variable on the system. This is required for all targets of the Oracle Identity Management provisioning.
The command syntax for the provisioning tool on UNIX is:
runIDMProvisioning.sh -responseFile RESPONSE_FILE -target STAGE
Where:
RESPONSE_FILE is the provisioning response file. The file name and directory are specified on the Summary page when the wizard is run to create the file. See Summary Page. The default value is IDMLCM_HOME/provisioning/bin/provisioning.rsp on UNIX.
STAGE is one of the stages listed in Provision an Oracle Identity Management Environment.
To use the Oracle Identity Management Provisioning Wizard to monitor the progress of provisioning, follow these steps:
Set JAVA_HOME to: REPOSITORY_LOCATION/jdk
Invoke idmProvisioningWizard.sh on Linux or UNIX.
Select Provision an Identity Management Environment in the Oracle Identity Management Installation Options page and specify the provisioning.rsp file created in Create an Oracle Identity Management Provisioning Profile.
MANDATORY:
Use the Oracle Identity Management Provisioning Wizard for provisioning for a single node topology.
Use the command line (runIDMProvisioning) for provisioning for a multiple node topology.
Use the Oracle Identity Management Provisioning Wizard to monitor the provisioning for a multiple node install. Run the Oracle Identity Management Provisioning Wizard only on the primordial host, IDMHOST1.
Then proceed as described in the following sections.
In the Prerequisite Checks, Installation, Preconfigure, Configure, Configure Secondary, Postconfigure, and Startup pages, the Status of each build is indicated by one of these icons:
Block: Processing has not yet started for the named phase.
Clock: Performing the build for a phase.
Check mark: The build was completed successfully.
x mark: The build has failed for this phase. Correct the errors beforecontinuing.
Click an x to display information about failures. Click the host-level Log file for details about this phase. Click a build Log file to see details specific to that build.
In case of errors, manually clean up everything. Kill all running processes, delete the directories, rerun RCU, and start over from the beginning.
Select Provision an Identity Management Environment to use an existing provisioning response file to provision the environment.
If the Oracle Identity Management topology spans multiple hosts, make the provisioning response file accessible to all hosts (preferrably by including it on shared storage) and run the provisioning tool on each host other than the primordial host, where the Oracle Identity Management Provisioning Wizard is running. This is explained in more detail on the Installation page.
In the Response File field, specify the path name of the file to be used, either by typing it in the field or by clicking the Browse button, navigating to the desired file, and selecting it.
Click Next to continue.
The Install Location Configuration page allows to modify the details entered previously when the response file was created. For details about the settings on this page, see Install Location Configuration Page.
Installation and Configuration.
Software Repository Location: Specify the location of the software repository, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it.
Software Installation Location: Specify the location on shared storage where the Middleware Home is placed, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it.
Shared Configuration Location: Specify the shared configuration location, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it.
Enable Local Configuration Location: Do not select this checkbox if a single host environment is being provisioned.
Select this checkbox to run Managed Servers from a local disk on the host, visible only to the processes running on that host. If this option is enabled, the Oracle Identity Management Provisioning Wizard copies the domain configuration from the shared location and places it on the local disk specified. This configures all Managed Servers to run from the non-networked location.
Local Configuration Location: Specify the location for the local domain directory to be set up, either by typing it in the field or by clicking the Browse button, navigating to the desired location, and selecting it. This field is required if the option Enable Local Applications Configuration is selected. The specified directory must initially be empty.
The Review Provisioning Configuration page enables to select configurations you want to review. Select a configuration and click Next to view the corresponding configuration page.
Node Topology Configuration
Virtual Hosts Configuration
Common Passwords
OID: Oracle Internet Directory Configuration
ODSM: Oracle Directory Services Manager Configuration
OHS: Oracle HTTP Server Configuration
OAM: Oracle Access Manager Configuration
OIM: Oracle Identity Manager Configuration
Load Balancer Configuration
Click Next to continue.
Use the Summary page to view a summary of the selections and enter additional information.
Review the information displayed to ensure that the installation details are correct. To make changes, click Back to return to previous screens in the interview.
Click Next to continue.
Use the Prerequisite Checks page to observe the progress of the preverification steps. During this stage, the Oracle Identity Management Provisioning Wizard checks for the basic prerequisites, such as free disk space, port availability, and Database connections.
See the note at the beginning of Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Click Next to continue.
Use the Installation page to install the Oracle Fusion Middleware products. The host is marked with a Home symbol in the Host column. The Domains column lists the domains deployed in the new environment.
For the EDG topology, if the provisioning directory is not shared onto the WEBHOSTs, manually copy the following directories from IDMHOST1 to the local provisioning directories on those hosts. Do this BEFORE running the install on those hosts and AFTER completing the install phase on IDMHOST2.
Please note EDG Topology is only supported on Linux or UNIX platforms.
IDM_CONFIG/lcmconfig/topology
IDM_CONFIG/lcmconfig/credconfig
For example:
scp -r IDM_CONFIG/lcmconfig/topology WEBHOST1:IDM_CONFIG/lcmconfig/
scp -r IDM_CONFIG/lcmconfig/credconfig WEBHOST1:IDM_CONFIG/lcmconfig/
During this stage, the Oracle Identity Management Provisioning Wizard installs the software bits and applies the patches present in the repository.
In a terminal session on the hostprimary, secondary, and DMZ host (if present), run the install phase with the command:
Linux or UNIX:
runIDMProvisioning.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target install
See the note at the beginning of Monitoring Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
For Solaris only, after the IDM provisioning installation target completes, perform the following steps to manually replace the OPatch under IDM oracle homes:
Download the latest OPatch from My Oracle Support (patch number 25816288) to any local storage on the provisioning host.
Manually replace the OPatch directory in all IDM oracle homes as shown below:
cd <ORACLE_HOME> mv -f OPatch OPatch_orig unzip <Patch_location>/p25816288_122001_Generic.zip
Below is the list of oracle homes to be updated:
/u01/products/dir/oid /u01/products/dir/oracle_common /u01/products/app/idm /u01/products/app/iam /u01/products/app/oracle_common /u01/products/ohs/ohs /u01/products/ohs/webgate /u01/products/ohs/oracle_common
Click Next to proceed.
During this stage, the Oracle Identity Management Provisioning Wizard configures Oracle Internet Directory, Oracle Virtual Directory, and Oracle Directory Services Manager. It also creates the domain and extends it for all the necessary components.
In a terminal session on the hostprimary, secondary, and DMZ host (if present), run the preconfigure phase with the command:
runIDMProvisioning.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preconfigure
Linux or UNIX:
runIDMProvisioning.bat -responseFile IDMLCM_HOME\provisioning/bin/provisioning.rsp -target preconfigure
Note: Each new phase must run sequentially; that is, a new phase cannot be started until the previous phase has been completed successfully on all the hosts.
See the note at the beginning of Monitoring Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Note: If a DMZ host is present, recopy the response file to the DMZ host.
Click Next. The Oracle Identity Management Provisioning Wizard starts the configure phase on the primordial host and displays the Configure screen.
During this stage, the Oracle Identity Management Provisioning Wizard performs OIM configuration.
See the note at the beginning of Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Click Next. The Oracle Identity Management Provisioning Wizard starts the Configure-secondary phase on the primordial host and displays the Configure Secondary screen.
During this stage, the Oracle Identity Management Provisioning Wizard performs Oracle Identity Manager-Oracle Access Manager integration.
See the note at the beginning of Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Click Next. The Oracle Identity Management Provisioning Wizard starts the Postconfigure phase on the primordial host and displays the Postconfigure screen.
During this stage, the Oracle Identity Management Provisioning Wizard performs tuning and enables the environment for SSL communication. Oracle Identity Federation is configured in this stage.
Copying WebGate Configuration Files to WEBHOST1 and WEBHOST2
This is applicable only for EDG topology when the OHS is on a DMZ host. EDG Topology is only supported on Linux or UNIX platforms.
When configuring WebGate during the postconfigure stage, the provisioning tool requires access to files created on the primordial host. So BEFORE postconfigure is run on WEBHOST1 and WEBHOST2, copy the entire directory IDM_CONFIG/domains/IDMDomain/output to the same location on WEBHOST1 and WEBHOST2.
For example:
scp -r IDMHOST1:$IDM_CONFIG/domains/IDMDomain/output WEBHOST1:$IDM_CONFIG/domains/IDMDomain
Before making the copy, it might be necessary to manually create the directory IDM_CONFIG/domains/IDMDomain on WEBHOST1 and WEBHOST2. After provisioning is complete, remove this directory from WEBHOST1 and WEBHOST2.
See the note at the beginning of Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Click Next. The Oracle Identity Management Provisioning Wizard starts the Startup phase on the primordial host and displays the Startup screen.
During this stage, the Oracle Identity Management Provisioning Wizard starts or restarts all the services except for Oracle Identity Federation. To use Oracle Identity Federation, run it manually as a post-installation task described in Configure Oracle Identity Federation.
The Domains column lists the domains deployed in the new environment.
See the note at the beginning of Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Click Next. The Oracle Identity Management Provisioning Wizard starts the Validate phase on the primordial host and displays the Validation screen.
During this stage, the Oracle Identity Management Provisioning Wizard performs the basic validations, such as server status and Oracle Internet Directory connectivity.
The host is marked with a Home symbol in the Host column. The Domains column lists the domains deployed in the new environment.
See the note at the beginning of Monitor Provisioning Using the Oracle Identity Management Provisioning Wizard for information about viewing build status on this page.
Click Next. The Oracle Identity Management Provisioning Wizard starts the Validate phase on the host and displays the Validation screen.
This section describes tasks that must be performed after Oracle Identity Management is provisioned.
Before managing Oracle Virtual Directory, create connections from ODSM to each of the Oracle Virtual Directory instances. To do this, proceed as follows:
Access ODSM through the load balancer at: http://ADMIN.mycompany.com/odsm
To create connections to Oracle Virtual Directory, follow these steps. Create connections to each Oracle Virtual Directory node separately. Using the Oracle Virtual Directory load balancer virtual host from ODSM is not supported:
Create a direct connection to Oracle Virtual Directory on LDAPHOST1 providing the following information in ODSM:
Host: LDAPHOST1.mycompany.com
Port: 8899 (The Oracle Virtual Directory proxy port, OVD_ADMIN_PORT)
Enable the SSL option.
User: cn=orcladmin
Password: password_to_connect_to_OVD
Create a direct connection to Oracle Virtual Directory on LDAPHOST2 providing the following information in ODSM:
Host: LDAPHOST2.mycompany.com
Port: 8899 (The Oracle Virtual Directory proxy port)
Enable the SSL option.
User: cn=orcladmin
Password: password_to_connect_to_OVD
The provisioning process includes several validation checks to ensure that everything is working correctly. This section describes additional checks that can be performed for additional sanity checking
Validate the WebLogic Administration Server as follows by verifying connectivity
Verify that the administration console can be accessed from the following URL:
http://admin.mycompany.com/console and logging in as the user weblogic_idm.
Verify that all managed servers are showing a status of Running.
Verify that Oracle Enterprise Manager Fusion Middleware Control can be accessed from the URL:
http://admin.mycompany.com/em and logging in as the user weblogic_idm.
To validate that this has completed correctly.
http://ADMIN.mycompany.com/oamconsoleWebgate_IDM, Webgate_IDM_11g and IAMSuiteAgent.This section describes how to validate the connection to the ODSM site in a browser and also ODSM connections to Oracle Internet Directory.
Follow these steps to validate that the Oracle Directory Services Manager (ODSM) site can be accessed:
Validate that Oracle Directory Services Manager can create connections to Oracle Internet Directory.
Create a connection to the Oracle Internet Directory on each ODSM instance separately. Even though ODSM is clustered, the connection details are local to each node. Proceed as follows:
Accept the certificate when prompted.
To validate that WebGate is functioning correctly, open a web browser and go the OAM console at: http://ADMIN.mycompany.com/oamconsole
The Oracle Access Manager Login page is displayed. Enter the OAM administrator user name (for example, oamadmin) and password and click Login. Then, see the Oracle Access Manager console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console at http://ADMIN.mycompany.com/console and to Oracle Enterprise Manager Fusion Middleware Control at: http://ADMIN.mycompany.com/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.
This section describes the operations to perform after setting up the Oracle Identity Management topology.
This section describes how to start, stop and restart the various components of the Oracle Enterprise Deployment for Oracle Identity Management.
This section contains the following topics:
When starting up the entire infrastructure, start the components in the following order, ignoring those not in the topology:
During provisioning, scripts are created in the SHARED_ROOT/config/scripts directory to start and stop all the servers in the environment. Two of the scripts are available to use from the command line to start and stop all Oracle Identity Management servers. The remaining scripts are used internally and must not be invoked from the command line.
These scripts do NOT stop or start the database.
Provisioning created a file called startall.sh for Linux. To start everything in the correct order run the command on hosts in the following order:
LDAPHOST1
LDAPHOST2
IDMHOST1
IDMHOST2
WEBHOST1
WEBHOST2
To start the services on a single host, execute the command on that host.
Before invoking this script, set JAVA_HOME to JAVA_HOME.
During execution the Weblogic and Node Manager administrator passwords are requested.
The script starts the servers in the following order:
Table 10-1 lists the administration consoles used in this guide and their URLs.
Table 10-1 Console URLs
| Domain | Console | URL |
|---|---|---|
|
IDMDomain |
WebLogic Administration Console |
|
|
IDMDomain |
Enterprise Manager FMW Control |
|
|
IDMDomain |
OAM Console |
|
|
IDMDomain |
ODSM |
|
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. Discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, initiate the regular deployment-specific Backup and Recovery process.
See Introducing Backup and Recovery in the Oracle Fusion Middleware Administering Oracle Fusion Middleware.
For information on database backups, see Introduction to Backup and Recovery in the Oracle Database Backup and Recovery User's Guide.
This section contains the following topics:
Back up the Middleware homes whenever a new one is created or a components is added to it. The Middleware homes used in this guide are Oracle Identity Management and Oracle Identity and Access Management.
Whenever an action, which updates the data in LDAP, is performed, back up the directory contents.
This section contains the following topics:
Whenever you create add a component to the configuration, back up the IDMDB database. Perform this backup after creating domains or adding components such as Access Manager or Oracle Identity Manager.
To back up the WebLogic domain, perform these steps:
ASERVER_HOME directory from shared storage.MSERVER_HOME directory from each host.To back up the Web Tier, perform these steps:
Go to Troubleshoot Oracle Identity Management Provisioning which describes common problems that might be encountered when using Oracle Identity Management Provisioning and explains how to solve them.