4 Plan the Configuration of the Components of the Installation

Both the Oracle Identity Management and the Oracle Fusion Applications install procedures use the concept of internal and external HTTP endpoints as part of their service-oriented architecture. External HTTP endpoints are used by end-users to access the system and are used for the login screen, welcome pages, transaction pages, online help, and so on. Internal HTTP endpoints are not meant to be seen by end-users and instead are used for inter-component communication.

This distinction exists for security as well as topology reasons, allowing for maximum flexibility when deploying Oracle Fusion Applications on an enterprise environment. Since internal endpoints are not exposed externally, this provides a layer of security, and since internal traffic can easily be restricted to specific network segments, there is no need for extra security measures such as encryption. External HTTP endpoints allow for maximum topology flexibility: since they are the only external entry points for all Oracle Fusion Applications traffic, they are the only points in the topology that must be directly accessible to the external world; all other components can be located inside a firewall while still providing 100% access to end-users and other applications that integrate with Oracle Fusion Applications.

Both external and internal endpoints can be configured directly at the HTTP Server (in which case internal and external URLs will point at the HTTP Server) or can be configured at a Load Balancer or Reverse Proxy (in which case internal and external URLs will point at the LBR/RP and it in turn must be configured to point at the HTTP Server).

These conventions are used when naming URLs/endpoints within Oracle Fusion Applications, Oracle Identity Management, and in any load balancer that may be used.

A Load Balancer (LBR) is required for scaled-out enterprise topologies. It is used to balance and route:

• External HTTP traffic from end-users to the Oracle Fusion Applications and Oracle Identity Management Web Tiers

• Internal HTTP traffic from the mid tiers to the Web Tiers (for both Oracle Fusion Applications and Oracle Identity Management)

• Internal LDAP (TCP) traffic from mid tiers to the Identity and Policy Stores (directory tier)

• Internal TCP traffic from the Oracle Fusion Applications mid tier to the Oracle WebCenter Content (UCM) socket listeners

If the topology is not scaled out, an LBR/Reverse proxy is not mandatory, but it is recommended for enterprise topologies with the following characteristics:

• External access requiring that traffic go through a DMZ with the Oracle Fusion Applications Web Tier located in the internal network

• The environment is not currently scaled out but may be in the future

For development environments, an LBR/RP is normally not required or used. In this case, the Provisioning framework can have the LBR option turned off which will set up the Web Tier (OHS) as the HTTP endpoint for Oracle Fusion Applications.

Both Oracle Identity Management and Oracle Fusion Applications Provisioning install their own Oracle HTTP Server, which is the primary endpoint for all HTTP traffic, both internal and external. While each provisioning tool may configure its HTTP Server slightly differently, it is important that the planning phase take both into consideration when deciding:

• Naming convention for virtual hosts

• DMZ placement

• Port usage

Note the following default setups:

• Oracle Identity Management Provisioning requires hostnames for only the LBR endpoint. The OHS listeners and name-based virtual hosts are set up with wildcards. Oracle Fusion Applications, however, always requires hostnames for the OHS endpoints even when using an LBR, and its virtual hosts are set up using those hostnames. This has implications when choosing name-based vs. IP or port-based virtual hosts for Oracle Fusion Applications.

• Both Oracle Identity Management and Oracle Fusion Applications Provisioning terminate SSL connections at the LBR (external HTTP endpoints only). This means that when the LBR option is selected during provisioning, the OHS virtual hosts are not configured with an SSL listener and therefore the connection between the LBR and OHS is always non-SSL and SSL certificates must be set up at the LBR. On the other hand, if the LBR option is NOT selected, the consequences differ.

  For Oracle Identity Management, only the "Basic" topology allows no LBR. In this case, OHS is configured with no SSL for all internal, external and admin virtual hosts.

  For Oracle Fusion Applications Provisioning, the OHS is set up with SSL on the external virtual hosts, which requires installing SSL certificates.

A virtual IP address is an unused IP Address which belongs to the same subnet as the host's primary IP address. It is assigned to a host manually and Oracle WebLogic Managed servers are configured to listen on this IP Address. In the event of the failure of the node where the IP address is assigned, the IP address is assigned to another node in the same subnet, so that the new node can take responsibility for running the managed servers assigned to it.

The Network-Virtual Hosts tab includes the following tables:

• Complete the Web Tier Virtual Host Mode Table

• Complete the FA Web Tier Virtual Hosts Table

• Complete the IDM Web Tier Virtual Hosts Table

• Complete the HTTP LBR Endpoints Table

• Complete the LDAP Endpoints Table

• Complete the UCM LBR Endpoint Table

• Complete the AdminServer Virtual Hosts/VIPs Table

• Complete the Managed Server Virtual Hosts/VIPs Table

The Provisioning tools include default port numbers for all components in their Wizards. While it is possible to change these ports to any other value, keeping the defaults guarantees consistency across different installations or environments and may be helpful when following product documentation, since it uses these default ports in its reference architectures and configuration examples.

When changing port numbers from their defaults, pay special attention to potential conflicts for components running on the same server with the same port. While the installers verify and warn about any potential port conflicts, ensuring there are no conflicts before installation helps providing a more predictable and smoother installation experience.

It is recommended to maintain the minimum amount of free disk space specified in Table 4-3 to accommodate the initial installation, and a reasonable number of incremental backups, daily or weekly thereafter, and subsequent upgrade activities for future releases. If the environment does not meet the minimum requirements, a warning message is recorded in the provisioning log. Continue with the installation but may encounter insufficient disk space issues.

In Table 4-3, the Installation/Upgrade Storage column represents the free disk space required for completing installation and upgrade. The Base Storage column is free disk space required to maintain a working application environment which takes into account of storage growth due to transition data, and retention of diagnostic logs for administration and troubleshooting.

Table 4-4 outlines space recommendations for various components and directories, several of which are detailed below. It does not include the storage required for storing the Oracle Fusion Applications media packs and the provisioning repository.

• Shared Storage

• Local Storage (if used)

• DMZ Local Storage (if used)

• Database Storage

• Temporary Files Created During Installation (temp directory)

The oraInventory is the location where the Oracle Universal Installer stores information about all the Oracle software products installed on all ORACLE_HOMES and it is essential for lifecycle events such as applying patches, upgrades, and de-installing components. The following components require an oraInventory:

• Oracle Database

• Oracle Identity Management Provisioning tool

• Oracle Identity Management components

• Oracle Fusion Applications Provisioning tool

• Oracle Fusion Applications components

• Oracle HTTP Server (separate oraInventory when installed on a DMZ)

For more information about oraInventory (also called OUI Inventory in some references), see Oracle Universal Installer (OUI) Inventory in the Oracle Fusion Applications Patching Guide.

When planning the location of the oraInventory directories, consider the following:

• The oraInventory must be accessible from all the nodes that run software installed against it. Therefore, when Oracle Fusion Applications is installed on multiple nodes, the oraInventory for Oracle Fusion Applications must be located on shared storage. The same applies to the oraInventory for Oracle Identity Management. The database oraInventory locations are usually maintained separately from Oracle Fusion Applications and Oracle Identity Management oraInventory; shared storage is not applicable.

• Having a single oraInventory across all Oracle Fusion Applications components brings the advantage of centralized management and eliminates guesswork when applying patches. By default, the central oraInventory includes a known file (oraInst.loc) that provides the location of the central oraInventory to Oracle Fusion Applications lifecycle management utilities such as patching, upgrading, or cloning tools.

For oraInventory planning, please define the inventory location for each of the components below:

• Oracle Identity Management Provisioning Framework

• Oracle Fusion Applications Provisioning Framework

• Oracle Fusion Applications

• Oracle Identity Management

• Oracle Fusion Applications database

• Oracle Identity Management database

• OID database

• Oracle Fusion Applications Data Warehouse database

Define also whether each inventory is central or local:

• Central: The /etc/oraInst.loc file defines a server-wide location for a single inventory. When this file is present, Oracle installers/provisioning tools do not prompt for an inventory location and use the one defined in this file instead. This works well if the same Inventory path is used for all components. If the /etc/oraInst.loc file is not present, the first time an installer is run a central inventory location and group owner are requested. The installer creates the file automatically in the /etc directory, which requires root access. Copy manually that file to all servers using that software.

• Local: No /etc/oraInst.loc file should be present. In this case, during install it might necessary to:

  1. Specify an inventory location and group owner when prompted by an installer, and check the option to make it a local inventory. Be sure to use a path in shared storage so it is visible to all servers running that software. No root access is required in this case. The installer creates the local inventory automatically in the specified location and adds an oraInst.loc file pointing to that inventory in the ORACLE_HOME of the product.

  2. When the local inventory and oraInst.loc file have been created by the installer, use the option –invPrtLoc to specify the oraInst.loc file location when invoking the installers/provisioning tools.

Ensure enough shared storage available and is accessible, and enough local storage is available if using that option. When running the Provisioning Wizard, in addition to oraInventory, it is necessary to plan for the locations listed in the table below:

Directory Conventions:

• Directory names should not contain spaces.

• Directory structure is maintained across sources and targets, so use environment-neutral directory names and make them unique enough to guarantee this naming is available on a potential subsequent clone target.

• All the directories must be owned by the installing (operating system) user. By convention, most Oracle software installation are done with the operating system user called "oracle".

Oracle Fusion Applications and Oracle Identity Management use shared storage to make the binary files, configuration files, and other files available to all its Mid Tier nodes (and Web Tier nodes, if not using the DMZ option). The shared storage should be mounted at the exact same location for each Mid Tier node (and Web Tier nodes, if not using the DMZ option).

Shared storage must also be used for the:

• Provisioning repository

• Oracle Identity Management provisioning framework

• Oracle Fusion Applications provisioning framework

• hwrepo directory

• Database when using RAC

Shared storage may also be used temporarily during the installation process to hold temporary backup files or other files used during the installation process.

Additional consideration for the shared storage:

• Shared storage can be a Network Attached Storage (NAS) or Storage Area Network (SAN) device.

• NAS storage is only supported on NetApp and zFS.

• It is possible to set up separate volumes of shared storage, one for Oracle Fusion Applications and another for Oracle Identity Management. The Oracle Fusion Applications shared storage does not have to be mounted or visible to the Oracle Identity Management nodes, and vice-versa.

• If provisioning Oracle Identity Management and Oracle Fusion Applications on a single node, it is possible to use a local disk for shared storage, since it must only be visible to one node.

• The shared drive such as, Network File System (NFS) or Common Internet File System (CIFS) must support file locking. For NFS Version 3 and NFS Version 4, the advisory locking must be configured for the NFS mount. This applies to all UNIX platforms.

Both Oracle Identity Management and Oracle Fusion Applications Provisioning offer the option of using local storage to run Managed Servers and local instances. This storage location is a networked (local) disk on the host, visible only to the processes running on that host, which may offer better performance than shared storage.

When deciding whether or not to use local configuration take the following into account:

• Speed of local storage vs. shared storage

• Disk space available on the local storage

• IT processes (e.g. backup, storage mirroring) that require additional maintenance due to the added drive location and its accessibility from the local server only.

If the Local Config Storage option is used, the following directories are created:

For environments using the Basic or Enterprise (non-HA) topologies, a single-instance database is used.

For environments with High Availability requirements, Oracle Fusion Applications supports the use of Oracle Real Application Clusters (RAC).

MANDATORY: Use at least two nodes. RAC single-node functionality is not currently supported.

When a provisioning response file is created using the Oracle Fusion Applications Provisioning Wizard, if only one RAC node information is provided for the Oracle Fusion Applications database, then an error is displayed during the install phase. The error is generated due to a limitation in the Oracle Data Integrator (ODI) installer and at least two RAC nodes must be provided. See Install Phase Failed with INST-07221: Specified connect string is not in a valid format Error.

For more information on Oracle RAC, see the Oracle database library.

Figure 4-6 RAC or Single-instance Database Decision Tree

Description of "Figure 4-6 RAC or Single-instance Database Decision Tree"

When determining the database configuration, consider the required instances, the required patching, listener configurations, schema and password requirements, and RCU directories.

Two databases are recommended for Oracle Internet Directory and Oracle Access Manager/Oracle Identity Manager because they are likely to have different configuration requirements. If desired, they can be combined into a single database.

LDAP directories are used by Oracle Fusion Applications for storing identities - users and groups (acting as the Identity Store), as well as authorization policies and credentials (acting as the Policy Store/Credential Store).

Oracle Identity Management Provisioning provides the option to choose the context root for the Identity Store, i.e. the starting point in the directory tree for storing user and group information. Normally, the ID Store context root is based on the domain name, e.g. for a company with domain name "mycompany.com", the ID Store context root chosen is normally "dc=mycompany,dc=com". Provisioning then creates sub-contexts for Users (cn=Users), groups (cn=Groups) among others.

For the Policy Store, Oracle Identity Management Provisioning automatically creates contexts for the two policy stores (IDM and FA), under cn=jpsroot and cn=FAPolicies, respectively. Oracle Identity Management Provisioning does not allow to change them. During Oracle Fusion Applications Provisioning, context root for the FA Policy Store is requested, and although it is possible to choose a different one (Oracle Fusion Applications Provisioning can create it if necessary), it is recommended to use the one previously created by Oracle Identity Management Provisioning.

The table below provides a summary of the LDAP context roots used by Oracle Fusion Applications:

Oracle Access Manager (OAM) Transfer Mode refers to the transport security modes for communication between the Oracle Access Manager Server (OAM Server) and the Web gates. While OAM in general supports three different mode options (Open, Simple and Cert), the only available mode for Oracle Fusion Applications Provisioning is "Simple" for all platforms.

The table below provides a summary of OAM Transfer Modes and availability in Oracle Fusion Applications Provisioning. A single mode must be selected for the entire installation (including Oracle Identity Management) in accordance to the table. In simpler terms: all platforms require Simple mode.

By default, Oracle Internet Directory passwords expire in 120 days. Users who do not reset their passwords before expiration can no longer authenticate to Oracle Internet Directory. Note that this includes administrative users, such as oamadmin, and the Oracle Identity Management environment cannot work properly unless these users can authenticate. For information about changing Oracle Internet Directory password policies, see Managing Password Policies in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory .

The Oracle Fusion Applications Installation Workbook provides sample values to make many of these entries self-explanatory.

Out of the box, the Oracle Identity Management and Oracle Fusion Applications Provisioning frameworks configure their respective components to use SSL connections between the end users and the load balancer or reverse proxy (or Web Tier if an load balancer or reverse proxy is not used). This is mandatory and cannot be changed.

Oracle Identity Management Provisioning provides the option to select SSL or non-SSL for the IDM Admin HTTP endpoint, as noted in the Oracle Fusion Applications Installation Workbook. Select yes to have the endpoint configured for SSL automatically during Oracle Identity Management Provisioning.

If a load balancer is used, the connection between the LBR and the Web Tier is configured as non-SSL, out of the box. Therefore, the HTTP listener on the Oracle HTTP Server is non-SSL.

If a load balancer is not used, Oracle Identity Management behaves differently from Oracle Fusion Applications:

• Oracle Fusion Applications: The end-user (external) connections are still SSL, but they terminate at the Web Tier instead. (FA OHS is configured to listen to SSL traffic.)

• Oracle Identity Management: All external endpoints are non-SSL. (IDM OHS is configured to listen to regular HTTP traffic.)

SSL Certificate requirements depend on whether the topology uses a load balancer/reverse proxy or not.

If using an LBR/RP: Because both Oracle Identity Management and Oracle Fusion Applications terminate SSL connections at the load balancer, it is necessary to set up the appropriate SSL certificates on the load balancer BEFORE starting the provisioning process. The certificates should be created and provisioned to the LBR/RP according to the policies and procedures, along with the instructions provided by the load balancer or reverse proxy manufacturer.

If not using an load balancer or reverse proxy: SSL terminates at OHS, which is configured with a default dummy certificate. As the dummy certificate is not trusted by browsers, end users get certificate warning messages when they access any external URL. To avoid this, configure OHS to use certificate(s) signed by a trusted certificate authority (CA). This can be an external certificate authority such as Verisign, or an internal certificate authority whose root certificate is trusted by the browser. See Configure Oracle HTTP Server with Custom Certificates.