F
Auxiliary Procedures for Changing Infrastructure Services

This appendix contains auxiliary procedures that are referred to in Chapter 8, "Changing Infrastructure Services".

It contains the following topics:

• About LDAP-based Replicas

• Installing and Setting Up an LDAP-based Replica

• Migrating SSO and DIP Data

• Migrating Oracle Internet Directory Data

F.1 About LDAP-based Replicas

This section describes how to install and configure an LDAP-based Replica, specifically for use by the following procedures:

• Section 8.4, "Moving Identity Management to a New Host"

• Section 8.5, "Changing from a Test to a Production Environment"

F.1.1 What is an LDAP-based Replica?

Oracle Internet Directory replication is the process of copying and maintaining the same data (or naming context) on multiple directory servers. Simply put, replication is a means of having two identical directories that contain the same information. One directory is called the master (or supplier). This directory contains the master copy of the naming context. The other directory is called the replica (or consumer). The master supplies replication updates to the replica, which keeps the master and replica in sync.

There are different types of replicas. This procedure uses an LDAP-based Replica, which means the protocol for transferring data between the master and the replica is LDAP.

See Also: Oracle Internet Directory Administrator's Guide for more information on directory replication and LDAP-based Replicas

For the purposes of this procedure, the master and replica directories are part of a larger environment that includes the Identity Management installations that contain the directories, and the Metadata Repositories that support them. This is called the LDAP-based Replica Environment, and it contains the following:

Master--The Identity Management installation containing the Oracle Internet Directory that holds the master copy of the naming context. It supplies replication updates to the Replica.

Master Repository--The Metadata Repository that the Master uses to store its Identity Management schemas.

Replica--The Identity Management installation containing the replicated Oracle Internet Directory.

Replica Repository--The Metadata Repository that the Replica uses to store its Identity Management schemas.

Figure F-1 illustrates the LDAP-based Replica environment.

Figure F-1 LDAP-based Replica Environment

Text description of the illustration asadm008.gif

F.1.2 How is the LDAP-based Replica Used for Changing Infrastructure Services?

Typically, an LDAP-based Replica is used to provide high availability and improved performance for directory users. For the purposes of changing Infrastructure services, the LDAP-based Replica is used as follows:

• For Section 8.4, "Moving Identity Management to a New Host", the LDAP-based Replica is created as a way of moving Identity Management from one host to another. The Master is the original Identity Management installation, and the Replica is the new Identity Management installation. In this case, replication is used to create an identical copy of the original Identity Management on a new host. You can then change your middle tiers from the old Identity Management (Master) to the new Identity Management (Replica) and discard the Master.

• For Section 8.5, "Changing from a Test to a Production Environment", the Replica is used to create a Test to Production environment. The Master is the Production Identity Management, and the Replica is the Test Identity Management. When you are ready to merge your Test Environment into your Production Environment, you can migrate data from your Test Identity Management (Replica) to your Production Identity Management (Master) and change your middle-tiers from the Test Identity Management to the Production Identity Management. You can then discard the Test Identity Management or continue to use it for testing.

F.2 Installing and Setting Up an LDAP-based Replica

This section describes how to install and set up an LDAP-based Replica environment.

F.2.1 Things to Know Before You Start

You should be aware of these important items before you start the procedure:

• This procedure uses a single Infrastructure Oracle home that contains Identity Management and the Metadata Repository. However, it is fine to split the Infrastructure installation so Identity Management is in one Oracle home and the Metadata Repository is in another Oracle home. You can also distribute the Identity Management components (SSO, OID, DAS, DIP) across different hosts. If you do this, perform the operations on each component in their respective Oracle homes.

• The Replica always uses port 389 for the non-SSL OID port, and 636 for the SSL OID port, regardless of what is reported by Oracle Universal Installer, or printed in ORACLE_HOME/install/portlist.ini. Make sure no other processes are using ports 389 and 636 on the Replica host before you start the procedure.

• Make sure you use the ldapsearch and ldapmodify commands that are in ORACLE_HOME/bin. (Some operating systems ship their own version of these commands--do not use those.)

• The procedure contains many Oracle Internet Directory operations and requires a familiarity with Oracle Internet Directory administration and replication.

• The procedure contains many steps. It is important to follow each step precisely and not skip any steps.

• The procedure includes Validation Steps. You should perform these checks to verify that you are proceeding successfully.

• The procedure requires you to provide many parameters. Rather than describe these parameters multiple times throughout the procedure, they are listed in Table F-1, in the order in which they are first used. As you work through the procedure, each time you encounter a new parameter, you can refer to the table to learn how to obtain its value. Make a note of each value as you obtain it, and refer back to your notes as you continue through the procedure.

  Table F-1   Parameters for Setting Up an LDAP-based Replica

  Document Convention	Description
  REPLICA_HOME	Replica Oracle home
  replica_db_name	Name of the entry for the Replica Repository in REPLICA_HOME/network/admin/tnsnames.ora.For example, the replica_db_name is asdb.myco.com if the entry looks like this: ASDB.MYCO.COM = (DESCRIPTION = ....
  replica_ods_passwd	Password for the ODS schema in the Replica Repository. The default is "ods".
  replica_orcladmin_passwd	Replica orcladmin password. The default is "welcome".
  replica_oid_port	Replica non-SSL OID port number. This value is always 389.
  master_host	Master hostname (you can use the plain or fully-qualified hostname)
  master_oid_port	Master non-SSL OID port number This is listed as OIDport in MASTER_HOME/config/ias.properties
  master_ods_passwd	Password for the ODS schema in the Master Repository. The default value is the ias_admin password you supplied while installing the Master.
  replica_host	Replica hostname
  MASTER_HOME	Master Oracle home
  master_orcladmin_passwd	Replica orcladmin password. The default value is the ias_admin password you supplied while installing the Master.
  master_replicaid	Master replica ID. You obtain this value during the procedure.
  master_agreementid	Master agreement identifier. You obtain this value during the procedure.
  replica_replicaid	Replica replica ID. You obtain this value during the procedure.
  replica_repository_dn	Replica Repository dn. You obtain this value during the procedure.
  replica_ssl_oid_port	Replica SSL OID port number. This value is always 636.
  replica_http_port	Oracle HTTP Server Listen port on the Replica. This value is listed in REPLICA_HOME/install/portlist.ini. The default is 7777.
  replica_em_port	Application Server Control port on the Replica. This value is listed in REPLICA_HOME/install/portlist.ini. The default is 1810.

F.2.2 Procedure

This section contains the procedure for setting up an LDAP-based Replica. It contains the following tasks:

• Task 1: Obtain the Master and Master Repository

• Task 2: Install Middle-Tier Instances (Optional)

• Task 3: Install and Configure the Replica

• Task 4: Configure and Start Replication

• Task 5: Register the Replica OID with Application Server Control

• Task 6: Enable SSO, DAS, and DIP on the Replica

Task 1: Obtain the Master and Master Repository

Most likely, you already have your Master and Master Repository.

• If you are following the procedure in Section 8.4, "Moving Identity Management to a New Host", the Master and Master Repository are the installations you would like to move to a new host, and the LDAP-base Replica will be the relocated installations.

• If you are following the procedure in Section 8.5, "Changing from a Test to a Production Environment", the Master and Master Repository are your Production environment, and the Replica will be your Test environment.

If you are starting from scratch, you can install a Master and Master Repository as follows:

1. Install Oracle Application Server using Oracle Universal Installer.

2. Choose the Infrastructure Installation.

3. Choose to install Identity Management and OracleAS Metadata Repository.

4. Choose to configure the following components: Oracle Internet Directory, OracleAS Single Sign-On, Delegated Administration Services, and Directory Integration and Provisioning

Task 2: Install Middle-Tier Instances (Optional)

Most likely, you already have middle-tier instances using the Master for Identity Management services. This is fine, and, if desired, you can install and configure additional instances to use the Master now, or at the end of this procedure after you have configured the Replica, or both.

These middle-tier instances can use the Master Repository for their product metadata, or they can use a different repository.

Task 3: Install and Configure the Replica

In this task, you install and configure the Replica and Replica Repository. The general procedure is to install an Infrastructure and choose Identity Management and Metadata Repository. However, you deselect all Identity Management components (OID, SSO, DAS, and DIP). After installation, you perform manual steps to configure and start up OID, SSO, DAS, and DIP.

1. Install the Replica.

   Be sure to install the Replica on a different host than the Master.

   1. Install Oracle Application Server using Oracle Universal Installer.

   2. Choose the Infrastructure Installation.

   3. Choose to install Identity Management and OracleAS Metadata Repository.

   4. Deselect all of the components that you can, so only OracleAS Metadata Repository, Oracle HTTP Server, and OracleAS Containers for J2EE are selected.

   5. When asked if you would like to register the Metadata Repository with Oracle Internet Directory, check Yes and supply the connection information for the Master Oracle Internet Directory.

2. Start OID on the Replica.
   1. Create a wallet for the ODS password:

      REPLICA_HOME/bin/oidpasswd connect=replica_db_name create_wallet=TRUE 
      current_password=replica_ods_passwd
      
      

   2. Make sure OPMN is running:

      REPLICA_HOME/opmn/bin/opmnctl ping
      
      

      If OPMN is not running, start it:

      REPLICA_HOME/opmn/bin/opmnctl start
      
      

   3. Enable OID by editing the following file:

      REPLICA_HOME/opmn/conf/opmn.xml
      
      

      Modify the ias-component entry for OID so the status is enabled, as follows:

      <ias-component id="OID" status="enabled">
      
      

      Save and close the file.

   4. Run the following command:

      REPLICA_HOME/dcm/bin/dcmctl updateConfig
      
      

   5. Reload opmn.xml:

      REPLICA_HOME/opmn/bin/opmnctl reload
      
      

   6. Start OID:

      REPLICA_HOME/opmn/bin/opmnctl startproc ias-component=OID
      
      

3. Validation Step: Make sure the Replica OID is started:

   REPLICA_HOME/bin/ldapbind -D cn=orcladmin -w replica_orcladmin_passwd -p 
   replica_oid_port
   
   

   If the command fails, check the following files for information on why the server did not start:

   REPLICA_HOME/ldap/log/oidmon.log
   REPLICA_HOME/ldap/log/oidldap01*.log
   
   

   You can check the files manually, or use Log Viewer (refer to Section 4.2, "Listing and Viewing Log Files With Enterprise Manager")

   See Also: Oracle Internet Directory Administrator's Guide, appendix on Syntax for LDIF and Command Line Tools, for more information

4. Enable SSL for OID.
   1. On the Replica host, create a file named mod.ldif that contains the following lines:

      dn:cn=configset0,cn=osdldapd,cn=subconfigsubentry
      changetype:modify
      replace:orclsslenable
      orclsslenable:2
      
      

   2. Run the following command:

      REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd 
      -p replica_oid_port -v -f mod.ldif
      
      

   3. Restart OID:

      REPLICA_HOME/opmn/bin/opmnctl restartproc ias-component=OID
      
      

5. Validation Step: Make sure the SSL port is enabled on the Replica OID:

   REPLICA_HOME/bin/ldapbind -D cn=orcladmin -w replica_orcladmin_passwd -U 1 
   -p replica_ssl_oid_port
   
   

   If the command fails, perform Step 4, "Enable SSL for OID" again.

Task 4: Configure and Start Replication

In this task, you register the Replica with the Master.

1. Set environment variables.
   1. Make sure the ORACLE_HOME environment variable is set.

   2. Set the library path.
      • On HPUX systems, make sure the SHLIB_PATH environment variable includes $ORACLE_HOME/lib32

      • On all other UNIX systems, make sure the LD_LIBRARY_PATH environment variable includes $ORACLE_HOME/lib

2. Run the following command to configure replication:

   REPLICA_HOME/ldap/bin/remtool -paddnode
   
   

   The tool prompts for information, as shown Table F-2.

   Table F-2   Prompts for the remtool Command

   At this prompt...	Enter...
   Enter supplier directory details: Enter hostname of host running OID server	Master hostname (master_host)
   Enter port on which OID server is listening	Master non-SSL OID port number (master_oid_port)
   Enter replication dn password	Master Repository ODS schema password (master_ods_passwd)
   Enter consumer directory details: Enter hostname of host running OID server	Replica hostname (replica_host)
   Enter port on which OID server is listening	Replica non-SSL OID port number (replica_oid_port)
   Enter replication dn password	Replica Repository ODS schema password (replica_ods_passwd)
   Enter naming context (e-end, q-quit)	* (Enter the asterisk character.)
   Enter naming context (e-end, q-quit)	e
   Following naming contexts will be included for replication: 1. * Do you want to continue? [y/n]	y

3. Validation Step: Check if replication is configured:

   REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h 
   replica_host -p replica_oid_port -b "cn=replication configuration" -s sub 
   "objectclass=orclreplnamectxconfig" dn orclincludednamingcontexts
   
   

   This command should return two entries of the following types:

   orclincludednamingcontexts=cn=oraclecontext
   orclincludednamingcontexts=*
   
   

   If it only returns one entry, and it is of the first listed type, there was a problem configuring replication. To recover, delete the Replica and repeat step 2, "Run the following command to configure replication".

   To delete the Replica:

   REPLICA_HOME/ldap/bin/remtool -pdelnode
   

   See Also: Oracle Internet Directory Administrator's Guide, appendix on Syntax for LDIF and Command Line Tools, for more information on remtool

4. Change the server on the Replica to read-write mode.
   1. On the Replica host, create a file named mod.ldif that contains the following lines:

      dn:
      changetype:modify
      replace:orclservermode
      orclservermode:rw
      
      

   2. Run the following command:

      REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd 
      -p replica_oid_port -v -f mod.ldif
      
      

5. Obtain the Master replica ID by running the following command:

   MASTER_HOME/bin/ldapsearch -h master_host -p master_oid_port -D cn=orcladmin 
   -w master_orcladmin_passwd -b "" -s base "objectclass=*" orclreplicaid
   
   

   The replica ID will look something like "myhost_asdb".

6. Obtain the Master agreement identifier by running the following command:

   MASTER_HOME/bin/ldapsearch -h master_host -p master_oid_port -D cn=orcladmin 
   -w master_orcladmin_passwd -b "orclreplicaid=master_replicaid,cn=replication 
   configuration" -s sub "objectclass=orclreplagreemententry" dn
   
   

   Where master_replicaid is the Master replica ID you obtained in the previous step.

   The agreement identifier will look something like "000002".

7. Perform this step on the Master.
   1. Create a file named mod.ldif that contains the following lines:

      dn:cn=includednamingcontext000001,cn=replication namecontext,
      orclagreementid=master_agreementid,orclreplicaid=master_replicaid,cn=rep
      lication configuration
      changetype:modify
      replace:orclexcludednamingcontexts
      orclexcludednamingcontexts:orclapplicationcommonname=orasso_ssoserver,cn
      =sso,cn=products,cn=oraclecontext
      
      

      Where master_agreementid is the Master agreement identifier and master_replicaid is the Master replica ID you obtained in the previous steps.

      Note that in the above code example, the first 3 lines should be a single line in your file; the next line is a single line; the next line is a single line; and the final two lines should be a single line in your file.

   2. Run the following command:

      MASTER_HOME/bin/ldapmodify -D cn=orcladmin -w master_orcladmin_passwd -p 
      master_oid_port -v -f mod.ldif
      
      

8. Obtain the Replica replica ID by running the following command:

   REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D 
   cn=orcladmin -w replica_orcladmin_passwd -b "" -s base "objectclass=*" 
   orclreplicaid
   
   

   The replica ID will look something like "myhost_asdb".

9. On the Replica host, modify the replica subentry to configure bootstrap.
   1. Create a file named mod.ldif that contains the following lines:

      dn:orclreplicaid=replica_replicaid,cn=replication configuration
      changetype:modify
      replace:orclreplicastate
      orclreplicastate:0
      
      

      replica_replicaid is the Replica replica ID you obtained in the previous step.

   2. Run the following command:

      REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd 
      -p replica_port -v -f mod.ldif
      
      

10. Start the Replica:

    REPLICA_HOME/bin/oidctl connect=replica_db_name server=oidrepld instance=1 
    flags='-p replica_oid_port' start
    
    

    Wait for the Replica to bootstrap before proceeding to the next step. You can monitor the progress of the bootstrap by watching the messages appended to the oidrepld log file with the following command:

    tail -f REPLICA_HOME/ldap/log/oidrepld00.log
    
    

    For example:

    Starting scheduler...
    Start to BootStrap from supplier=pdsun-qa5_orcl to consumer=pdsun-qa8_repsid
    gslrbssSyncDIT:Replicating namingcontext=cn=oraclecontext......
    gslrbssSyncDIT:Sync done successfully for cn=oraclecontext, 266 entries 
    matched
    gslrbssSyncDIT:Replicating namingcontext=dc=com ......
    gslrbssSyncDIT:Sync done successfully for dc=com, 197 entries matched
    gslrbssSyncDIT:Replicating namingcontext=cn=oracleschemaversion ......
    gslrbssSyncDIT:Sync done successfully for cn=oracleschemaversion, 10 entries 
    matched
    
    

    Note that if you cannot locate the above log file, the Replica may have failed to start. Check the command you used at the beginning of this step to start the Replica and retry if you find any problems.

11. Validation Step: Verify the Replica has bootstrapped successfully.

    The following commands should each return entries:

    REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h 
    replica_host -p replica_oid_port -b "dc=com" -s sub "objectclass=*" dn
    
    REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h 
    replica_host -p replica_oid_port -b "cn=oraclecontext" -s sub 
    "objectclass=*" dn
    
    

    If either of the above commands does not return entries then there was a problem with the bootstrap.

12. Validation Step: Verify the SSO server entry is excluded from replication.

    The following search against the Replica should not return an entry. It should return two entries: "No such object" and a matched entry.

    REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h 
    replica_host -p replica_oid_port -b 
    "orclapplicationcommonname=orasso_ssoserver, cn=sso, cn=products, 
    cn=oraclecontext" -s base "objectclass=*" dn
    
    

    The same search, when performed against the Master, should return an entry.

    MASTER_HOME/bin/ldapsearch -D cn=orcladmin -w master_orcladmin_passwd -h 
    master_host -p master_oid_port -b 
    "orclapplicationcommonname=orasso_ssoserver, cn=sso, cn=products, 
    cn=oraclecontext" -s base "objectclass=*" dn
    
    

    If there are any problems, repeat steps 7, 8, and 9 in Task 4, then restart the Replica as follows:

    REPLICA_HOME/bin/oidctl connect=replica_db_name server=oidrepld instance=1 
    flags='-p replica_oid_port' restart
    

Task 5: Register the Replica OID with Application Server Control

In this task, you enable the Replica OID to show up in Application Server Control.

1. Create the ldaptarget.xml file by making a copy of the template:

   cd REPLICA_HOME/ldap/templates
   cp ldaptarget.xml.template ldaptarget.xml
   
   

2. Edit the ldaptarget.xml file and replace the following variables with values for your installation:

   s_instanceName is the instance name of the Replica. You can obtain this name with the following command:

   REPLICA_HOME/dcm/bin/dcmctl whichInstance
   
   

   s_hostName is the fully qualified Replica host name--the same value as replica_host.

   ORACLE_HOME is the Replica Oracle home--the same value as REPLICA_HOME.

   s_odsPwd is the password for the Replica ODS schema--the same value as replica_ods_passwd.

   s_tnsAddress is the Net Description string for the Replica repository. You can obtain this from REPLICA_HOME/network/admin/tnsnames.ora. For example:

   (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.myco.com) 
   (PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=infra.myco.com)))
   
   

   Note you should enter the entire string with no new-line characters and no white-space characters.

   For example:

   <Target TYPE="oracle_ldap" NAME="infra.myhost.myco.com_LDAP" 
   DISPLAY_NAME="OID" VERSION="2.5" ON_HOST="myhost.myco.com">
     <Property NAME="OracleHome" VALUE="/home/infra"/>
     <Property NAME="password" VALUE="ods" ENCRYPTED="FALSE"/>
     <Property NAME="LDAPScriptsPath" VALUE="/sysman/admin/scripts"/>
     <Property NAME="host" VALUE="myhost.myco.com"/>
     <Property NAME="UserName" VALUE="ods" ENCRYPTED="FALSE"/>
     <Property NAME="LDAPBindDN" VALUE="cn=emd admin,cn=oracle internet 
   directory" ENCRYPTED="FALSE"/>
     <Property NAME="LDAPBindPwd" VALUE=""/>
     <Property NAME="version" VALUE="9.0.4"/>
     <Property NAME="ConnectDescriptor" 
   VALUE="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.myco.c
   om)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=asdb.myco.com)))"/>
     <CompositeMembership>
        <MemberOf TYPE="oracle_ias" NAME="infra.myhost.myco.com" ASSOCIATION=" 
   "/>
     </CompositeMembership>
   </Target>
   
   

3. Upload the OID target using the following command (note that the following is a single command; type it all on one line):

   REPLICA_HOME/bin/emctl config addtarget 
   REPLICA_HOME/ldap/templates/ldaptarget.xml REPLICA_HOME
   
   

4. Verify that OID shows up in Application Server Control:
   1. Make sure Oracle Enterprise Manager Application Server Control is started:

      REPLICA_HOME/bin/emctl startifdown iasconsole
      
      

   2. Navigate to Application Server Control:

      http://replica_host:replica_em_port
      
      

      The ias_admin password on the Replica is set to the same value as the ias_admin password on the Master.

   3. Use Application Server Control to navigate to the Instance Home Page for the Replica instance.

   4. Verify that Oracle Internet Directory is listed in the System Components section.

5. Remove the ldaptarget.xml file; it contains secure information such as the ODS schema password:

   rm REPLICA_HOME/ldap/templates/ldaptarget.xml
   

Task 6: Enable SSO, DAS, and DIP on the Replica

In this task, you enable SSO, DAS, and DIP on the Replica.

1. Modify the replication configuration for SSO.
   1. Obtain the Replica Repository dn:

      REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D 
      cn=orcladmin -w replica_orcladmin_passwd -b "cn=oraclecontext" -s one 
      "objectclass=orcldbserver" dn
      
      

      This command will return two DNs in the form of:

      cn=short_gdbname,cn=oraclecontext
      
      

      Find the one that corresponds to the Replica Repository.

      Note that if this command returns the error "ldap_search: No such object" you should go back to the previous step and make sure the Replica was started properly.

   2. On the Replica host, create a file named mod.ldif that contains the following lines:

      dn:orclreplicaid=replica_replicaid,cn=replication configuration
      changetype:modify
      replace:seeAlso
      seeAlso:replica_repository_dn
      
      

      Where replica_repository_dn is the Replica Repository dn you obtained in the previous step.

   3. Run the following command:

      REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd 
      -p replica_oid_port -v -f mod.ldif
      
      

2. Edit REPLICA_HOME/config/ias.properties to reflect the Replica OID server host and port. Change the following lines:

   OIDhost=replica_host
   OIDport=replica_oid_port
   OIDsslport=replica_ssl_oid_port
   VirtualHostName=replica_host
   
   

3. Edit REPLICA_HOME/network/admin/ldap.ora to reflect the Replica OID server host and port. Change the following line:

   DIRECTORY_SERVERS = (replica_host:replica_oid_port:replica_ssl_oid_port)
   
   

4. Configure SSO in Oracle Enterprise Manager Application Server Control.
   1. Make sure Oracle Enterprise Manager Application Server Control is started:

      REPLICA_HOME/bin/emctl startifdown iasconsole
      
      

   2. Navagate to Application Server Control:

      http://replica_host:replica_em_port
      
      

   3. Use Application Server Control to navigate to the Instance Home Page for the Replica instance.

   4. On the Instance Home Page, in the System Components section, click Configure Component.

   5. On the Select Component screen, select Single Sign-On Server in the dropdown menu. Click Continue.

   6. On the Login screen:
      • In the User Name field, enter cn=orcladmin.

      • In the Password field, enter the Replica cn=orcladmin password ("welcome").

   7. Click Finish.

   8. When the confirmation message appears, click OK.

5. Validation Step: If the confirmation message does not appear, or there is an error displayed, there are a few possible reasons. Check the following log files for errors:

   REPLICA_HOME/sysman/log/emias.log
   REPLICA_HOME/sso/log/ssoem.log
   REPLICA_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
   
   

   • If the error messages on the screen or in the log files indicate an LDAP or OID error, check that the Replica OID server is running and that you supplied a valid password for cn=orcladmin. Also check that you updated ias.properties correctly in step 2 and that you configured the OID replica correctly. Then repeat step 4.

   • If the error messages in the log files indicate a database error, check that the Replica Repository is running and that you updated the ldap.ora file correctly in step 3. Then repeat step 4.

6. Perform this step only if your Replica is on an HPUX system.
   1. Edit the following file:

      REPLICA_HOME/opmn/conf/opmn.xml
      
      

   2. Locate the entry for OC4J_SECURITY.

   3. In the environment element, replace LD_LIBRARY_PATH with SHLIB_PATH. For example, change:

      <process-type id="OC4J_SECURITY" module-id="OC4J">
        <environment>
          <variable id="LD_LIBRARY_PATH" value="/private/oracleas/lib"/>
      
      

      To:

      <process-type id="OC4J_SECURITY" module-id="OC4J">
        <environment>
          <variable id="SHLIB_PATH" value="/private/oracleas/lib32"/>
      
      

   4. Save and close the file.

   5. Run the following command:

      REPLICA_HOME/dcm/bin/dcmctl updateConfig
      
      

   6. Reload OPMN:

      REPLICA_HOME/opmn/bin/opmnctl reload
      
      

7. Register mod_osso.
   1. Set environment variables.
      • On HPUX systems, make sure the SHLIB_PATH environment variable includes $ORACLE_HOME/lib32

      • On all other UNIX systems, make sure the LD_LIBRARY_PATH environment variable includes $ORACLE_HOME/lib

   2. Run the following command:

      REPLICA_HOME/jdk/bin/java -jar REPLICA_HOME/sso/lib/ossoreg.jar
      -oracle_home_path REPLICA_HOME
      -site_name replica_host
      -config_mod_osso TRUE
      -mod_osso_url http://replica_host:replica_http_port
      -u user
      
      

      Note that user is the user that starts Oracle HTTP Server. By default, this is the user that installed Oracle Application Server. If you have changed the Oracle HTTP Server listen port number to a value < 1024, then this user is root.

8. Configure DAS in Oracle Enterprise Manager Application Server Control.
   1. Navagate to Application Server Control:

      http://replica_host:replica_em_port
      
      

   2. Use Application Server Control to navigate to the Instance Home Page for the Replica instance.

   3. On the Instance Home Page, in the System Components section, click Configure Component.

   4. On the Select Component screen, select Delegated Administration Service in the dropdown menu. Click Continue.

   5. On the Login screen:
      • In the User Name field, enter cn=orcladmin.

      • In the Password field, enter the Replica cn=orcladmin password ("welcome").

   6. Click Finish.

   7. When the confirmation message appears, click OK.

9. Update the DAS URL entry.
   1. On the Replica host, create a file named mod.ldif with the following lines:

      dn:cn=OperationURLs,cn=DAS,cn=Products,cn=OracleContext
      changetype:modify
      replace:orcldasurlbase
      orcldasurlbase:http://replica_host:replica_http_port/
      
      

      Note the slash at the end of the URL.

   2. Run the following command:

      REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd 
      -p replica_oid_port -v -f mod.ldif
      
      

10. Restart the Replica instance:

    REPLICA_HOME/opmn/bin/opmnctl stopall
    REPLICA_HOME/opmn/bin/opmnctl startall
    
    

11. Validation Step: Verify that SSO was configured successfully.

    Navigate to the following URL and click Login:

    http://replica_host:replica_http_port/pls/orasso
    
    

    Log in as orcladmin and use the password you specified during the installation of the Master. If the page does not appear or the login fails, check the following log files:

    REPLICA_HOME/Apache/Apache/logs/error_log.most_recent_timestamp
    REPLICA_HOME/sso/log/ssoServer.log
    

    See Also: Oracle Application Server Single Sign-On Administrator's Guide

12. Validation Step: Verify that DAS was configured successfully.

    Using Application Server Control, navigate to the Instance Home Page where DAS is running. Verify that OC4J_SECURITY is listed in the System Components section. Verify that the Farm value displayed on the page is the Replica Repository.

    Verify DAS is running properly:

    1. Log in to DAS using the following URL:

       http://replica_host:replica_http_port/oiddas
       
       

    2. Click the My Profile tab

    3. Make sure the correct login user information is shown on this page

    4. Click on the Directory tab

    5. Type in a keyword in the "Search for user" field and click the Go button

    6. Make sure the correct list of users is shown on the search result table

    If these steps fail, turn on DAS debugging mode by setting the DEBUG flag to true in the following file:

    REPLICA_HOME/ldap/das/das.properties
    
    

    and restart DAS as follows:

    REPLICA_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY
    REPLICA_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
    
    

    Repeat the steps for verifying DAS is running properly to reproduce the problem. Examine the errors in the DAS log file:

    REPLICA_HOME/ldap/log/das.log
    
    

13. Migrate the DIP data:

    MASTER_HOME/bin/dipassistant reassociate -src_ldap_host master_host 
    -src_ldap_port master_oid_port -dst_ldap_host replica_host -dst_ldap_port 
    replica_oid_port -src_ldap_passwd master_orcladmin_passwd -dst_ldap_passwd 
    replica_orcladmin_passwd
    
    

    This command prints log messages to:

    MASTER_HOME/ldap/odi/log/reassociate.log
    
    

14. Configure DIP in Oracle Enterprise Manager Application Server Control.
    1. Navagate to Application Server Control:

       http://replica_host:replica_em_port
       
       

    2. Use Application Server Control to navigate to the Instance Home Page for the Replica instance.

    3. On the Instance Home Page, in the System Components section, click Configure Component.

    4. On the Select Component screen, select Directory Integration and Provisioning in the dropdown menu. Click Continue.

    5. On the Login screen:
       • In the User Name field, enter cn=orcladmin.

       • In the Password field, enter the Replica cn=orcladmin password ("welcome").

    6. Click Finish.

    7. When the confirmation message appears, click OK.

15. Start the DIP server on the Replica:

    REPLICA_HOME/bin/oidctl server=odisrv instance=1 
    flags='port=replica_oid_port' start
    
    

16. Validation Step: Verify that DIP was configured successfully.

    Navigate to the Directory Integration Page on Application Server Control. The DIP server instance "1" should have a status of "UP", the DIP host should be the Replica host, and the OID node should be the Replica host. If this is not the case, the DIP server was not registered and brought up on the Replica host successfully. To debug this problem, check the DIP server log file:

    REPLICA_HOME/ldap/log/odisrv01.log
    
    

    All provisioning profiles should be getting executed successfully. If any of the profiles show a "Database connection error" in the errors field, then the reassociation of the profiles was not successful. To debug this problem, check the application-specific trace file in this directory:

    REPLICA_HOME/ldap/odi/log
    
    

    The trace file names are of the form application_name_realm_name_E.trc or application_name_realm_name_E.aud.

You have finished setting up an LDAP-based Replica. You can return the main procedure you are following in either Section 8.4, "Moving Identity Management to a New Host" or Section 8.5, "Changing from a Test to a Production Environment".

F.3 Migrating SSO and DIP Data

This procedure describes how to migrate SSO and DIP data from a source Infrastructure to a target Infrastructure.

• If you are using this procedure in conjunction with Section 8.4, "Moving Identity Management to a New Host", you should migrate the SSO and DIP data from the Master (old host) to the Replica (new host).

  In this case, the Master is the source and the Replica is the target. You can convert the parameters in the procedure as follows:

  • Convert SOURCE_param to MASTER_param

  • Convert TARGET_param to REPLICA_param

• If you are using this procedure in conjunction with Section 8.5, "Changing from a Test to a Production Environment", you should migrate the SSO and DIP data from the Replica (Test) to the Master (Production).

  In this case, the Replica is the source and the Master is the target. You can convert the parameters in the procedure as follows:

  • Convert SOURCE_param to REPLICA_param

  • Convert TARGET_param to MASTER_param

Refer to Table F-1 to obtain the values for the various parameters used in this procedure.

This procedure contains the following tasks:

• Task 1: Migrate the SSO Data

• Task 2: Migrate the DIP Data

Task 1: Migrate the SSO Data

1. Obtain the ORASSO schema password on the source:

   SOURCE_HOME/bin/ldapsearch -p source_oid_port -h source_host -D 
   "cn=orcladmin" -w source_orcladmin_password -b "orclresourcename=orasso, 
   orclreferencename=source_db_name, cn=ias infrastructure databases, cn=ias, 
   cn=products, cn=oraclecontext" -s base "objectclass=*" orclpasswordattribute
   
   

   This command prints the ORASSO password in a line like the following:

   orclpasswordattribute=LAetjdQ5
   
   

2. Export the SSO data from the source:

   SOURCE_HOME/sso/bin/ssomig -export -s orasso -p source_orasso_passwd -c 
   source_db_name -log_d $SOURCE_HOME/sso/log
   
   

   source_orasso_passwd is the ORASSO password obtained in the previous step.

3. Copy the ssomig.dmp and ssoconf.log files from the source to the target, preserving the exact full path for each file:

   cp SOURCE_HOME/sso/log/ssomig.dmp TARGET_HOME/sso/log/ssomig.dmp
   cp SOURCE_HOME/sso/log/ssoconf.log TARGET_HOME/sso/log/ssoconf.log
   
   

4. Obtain the ORASSO schema password on the target:

   TARGET_HOME/bin/ldapsearch -p target_oid_port -h target_host -D 
   "cn=orcladmin" -w target_orcladmin_password -b "orclresourcename=orasso, 
   orclreferencename=target_db_name, cn=ias infrastructure databases, cn=ias, 
   cn=products, cn=oraclecontext" -s base "objectclass=*" orclpasswordattribute
   
   

5. Import the SSO data to the target:

   TARGET_HOME/sso/bin/ssomig -import -overwrite -s orasso -p 
   target_orasso_password -c target_db_name -log_d $TARGET_HOME/sso/log 
   -discoforce
   
   

   target_orasso_passwd is the ORASSO password obtained in the previous step.

6. Validation Step: Verify that the export and import of SSO succeeded.

   Verify that the SSO migration tool reported success. You can also check the following log files for errors:

   SOURCE_HOME/sso/log/ssomig.log
   TARGET_HOME/sso/log/ssomig.log
   

   See Also: Oracle Application Server Single Sign-On Administrator's Guide for information on interpreting messages in the log files

Task 2: Migrate the DIP Data

1. Stop the DIP server on the source:

   SOURCE_HOME/bin/oidctl server=odisrv instance=1 stop
   
   

2. Migrate the DIP data:

   SOURCE_HOME/bin/dipassistant reassociate -src_ldap_host source_host 
   -src_ldap_port source_oid_port -dst_ldap_host target_host -dst_ldap_port 
   target_oid_port -src_ldap_passwd source_orcladmin_passwd -dst_ldap_passwd 
   target_orcladmin_passwd
   
   

   This command prints log messages to:

   SOURCE_HOME/ldap/odi/log/reassociate.log
   
   

3. Register the DIP server on the target:

   TARGET_HOME/bin/odisrvreg -D "cn=orcladmin" -w target_orcladmin_password -h 
   target_host -p target_oid_port
   
   

4. Start the DIP server on the target:

   TARGET_HOME/bin/oidctl server=odisrv instance=1 flags='port=target_oid_port' 
   start
   

F.4 Migrating Oracle Internet Directory Data

This section describes how to migrate Oracle Internet Directory data from an Replica (Test) to the Master (Production). This procedure is used in conjunction with the procedure in Section 8.5, "Changing from a Test to a Production Environment".

Refer to Table F-1 to obtain the values for the various parameters used in this procedure.

1. End the Pilot Mode on the Replica.
   1. Obtain the Replica replica ID by running the following command:

      REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D 
      cn=orcladmin -w replica_orcladmin_passwd -b "" -s base "objectclass=*" 
      orclreplicaid
      
      

      The replica ID will look something like "myhost_asdb".

   2. On the Replica host, create a file named mod.ldif that contains the following lines:

      dn:orclreplicaid=replica_replicaid,cn=replication configuration
      changetype:modify
      replace:orclpilotmode
      orclpilotmode:0
      
      

      Where replica_replicaid is the Replica replica ID obtained in the previous step.

   3. Run the following command:

      REPLICA_HOME/bin/ldapmodify -p replica_oid_port -D cn=orcladmin -w 
      replica_orcladmin_passwd -v -f mod.ldif
      
      

   4. Restart OID:

      REPLICA_HOME/opmn/bin/opmnctl stopproc ias-component=OID
      REPLICA_HOME/opmn/bin/opmnctl startproc ias-component=OID
      
      

2. (Optional) Clean up entries in the Replica OID.

   You can clean up (delete) the data that is modified or added on the Test (Replica) OID so that it is not migrated to the Production (Master) OID. This might be a requirement of a middle-tier component or might be desired by the administrator who maintains OID consistency in the Production OID.

   To clean up the data, use the ldapdelete command-line utility and delete entries that should not be migrated.

   See Also: Oracle Internet Directory Administrator's Guide for more information on the ldapdelete command

3. Quiesce the Distributed Directory Environment.

   It is very important to quiesce the Distributed Directory environment while the data migration from the Replica (Test) to the Master (Production) takes place. This ensures that there are no conflicting updates, and therefore no data loss or corruption.

   However, if you feel the data operated on by middle-tier components is isolated and cannot be modified by any processes in the Master (Production) environment, then it is safe to skip this step and proceed to the next step.

   To quiesce the Distributed Directory Environment:

   1. Make sure all the Replica and Master are up and running.

   2. Change the ldapserver on the Replica (Test) to read-only mode.

      On the Replica host, create a file named mod.ldif that contains the following lines:

      dn:
      changetype:modify
      replace:orclservermode
      orclservermode:r
      
      

      Run the following command:

      REPLICA_HOME/bin/ldapmodify -p replica_oid_port -D cn=orcladmin -w 
      replica_orcladmin_passwd -v -f mod.ldif
      
      

   3. Wait until all the pending changes are applied to both nodes and the nodes are completely in sync. There is no tool to automatically detect this, but you can monitor the replication log files and make sure there are no new changes being processed by any node in the Directory Replication Group (DRG), which ensures that the DRG is in a quiesced state.

4. Make a Backup of the Middle-Tier Data in the Replica (Test)

   Once middle-tier component testing is complete, you must identify the Database Access Descriptor (DAD) that has been modified or added locally at the Replica (Test) directory and move this data to the Master (Production) directory. This step describes how to back up the data from the Replica into a flat file.

   1. Catalog the modifytimestamp and modifiersname attributes:

      REPLICA_HOME/ldap/bin/catalog.sh -connect replica_db_name -add -attr 
      modifytimestamp
      
      REPLICA_HOME/ldap/bin/catalog.sh -connect replica_db_name -add -attr 
      modifiersname
      
      

      Enter "ODS" when the script requests the OID Database user name.

   2. Restart OID:

      REPLICA_HOME/opmn/bin/opmnctl stopproc ias-component=OID
      REPLICA_HOME/opmn/bin/opmnctl startproc ias-component=OID
      
      

   3. Retrieve the Pilot Start Time:

      REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D 
      cn=orcladmin -w replica_orcladmin_passwd -b 
      "orclreplicaid=replica_replicaid,cn=replication configuration" -s base 
      "objectclass=*" pilotstarttime
      
      

      Where replica_replicaid is the Replica replica ID you obtained earlier in the procedure.

      This command returns something like:

      orclreplicaid=myhost_asdb,cn=replication configuration
      pilotstarttime=20031119120647z
      
      

   4. Perform the following search against the Replica to back up the data (this step creates a file called migrate.ldif). Note that the following command should be typed all on one line.

      REPLICA_HOME/bin/ldapsearch -L -h replica_host -p replica_oid_port
      -D cn=orcladmin -w replica_orcladmin_passwd -b ""
      -s sub "(&(modifytimestamp >= pilot_start_time) 
      (!(modifiersname=cn=replicationdn, orclreplicaid=replica_replicaid, 
      cn=replication configuration)))" \* orclguid > migrate.ldif
      
      

      pilot_start_time is the Pilot Start Time obtained in a previous step.

      replica_replicaid is the Replica replica ID obtained at the beginning of this procedure.

5. Migrate OID Data to the Master (Production)

   Run the following command to migrate data to the Master. Make sure you use the -r flag. Specify the migrate.ldif file created in the previous step.

   MASTER_HOME/bin/ldapaddmt -h master_host -p master_oid_port -D 
   "cn=orcladmin" -w master_orcladmin_passwd -r -f migrate.ldif
   
   

6. Validation Step: Verify that the migration of OID data succeeded.

   Verify that ldapaddmt reported success. You can check the add.log file for errors, which is created in the directory from which you ran the ldapaddmt command.

   If the command succeeded, add.log will be empty. If add.log contains errors, preserve it by renaming it.

   See Also: Oracle Internet Directory Administrator's Guide for information on interpreting messages in log files

   If necessary, repeat steps 4, 5, and 6.

7. Migrate SSO and DIP data from the Replica (Test) to the Master (Production).

   See Also: Section F.3, "Migrating SSO and DIP Data"

8. (Optional) Post-Migration Cleanup Tasks

   Some middle-tier components might have special cleanup requirements after you have changed to the Master (Production). You can perform these cleanup tasks on the Replica (Test) after the middle-tier instances have been changed to the Production Node.