| Oracle® Application Server Enterprise Deployment Guide 10g (10.1.4.0.1) Part Number B28184-02 |
|
|
View PDF |
| Oracle® Application Server Enterprise Deployment Guide 10g (10.1.4.0.1) Part Number B28184-02 |
|
|
View PDF |
Setting up the Load Balancing Router
Installing and Configuring Oracle Application Server Single Sign-On
Configuring Session State Replication for the OC4J_SECURITY Instance
Disabling the Oracle HTTP Server on the Identity Management Tier
Before installing the Identity Management components, you must set up the Load Balancing Router to listen for requests to login.mycompany.com on port 443 (https), and balance the requests to the Oracle HTTP Servers' listening port 7777 (http). The Load Balancing Router should perform the protocol conversion, and must be configured for persistent HTTP sessions.
After the Data Tier is complete, follow these steps to install the Identity Management components (IDMHOST1 and IDMHOST2). configure OracleAS Single Sign-On on IDMHOST1 and IDMHOST2.
Follow these steps to install Identity Management on IDMHOST1:
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Application Server Quick Installation Guide in the Oracle Application Server platform documentation library for the platform and version you are using.
Copy the staticport.ini file from the Disk1/stage/Response directory to the Oracle home directory.
Edit the staticport.ini file and uncomment these entries:
Oracle HTTP Server port = 7777 Oracle HTTP Server Listen port = 7777 Application Server Control port = 1810
Note:
See Section A.3, "Using the Static Ports Feature with Oracle Universal Installer" on page A-2 for more information.Start the Oracle Universal Installer as follows:
On UNIX, issue this command: runInstaller
On Windows, double-click setup.exe
The Welcome screen appears.
Click Next.
On UNIX systems, the Specify Inventory Directory and Credentials screen appears.
Specify the directory you want to be the oraInventory directory and the operating system group that has permission to write to it.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the oraInstRoot.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Specify File Locations screen appears with default locations for:
The product files for the installation (Source)
The name and path to an Oracle home (Destination)
Note:
Ensure that the Oracle home directory path for IDMHOST1 is the same as the path to the Oracle home location of IDMHOST2. For example, if the path to the Oracle home on IDMHOST1 is:/u01/app/oracle/product/AS10gSSO
then the path to the Oracle home on IDMHOST2 must be:
/u01/app/oracle/product/AS10gSSO
Specify the Destination Name and Path, if different from the default, and click Next.
The Select a Product to Install screen appears.
Figure 4-1 Oracle Universal Installer Select a Product to Install Screen
Select OracleAS Infrastructure 10g, as shown in Figure 4-1, and click Next.
The Select Installation Type screen appears.
Figure 4-2 Oracle Universal Installer Select Installation Type Screen
Select Identity Management, as shown in Figure 4-2, and click Next.
The Confirm Pre-Installation Requirements screen appears.
Ensure that the requirements are met and click Next.
The Select Configuration Options screen appears.
Figure 4-3 Oracle Universal Installer Select Configuration Options Screen
Select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication, as shown in Figure 4-3.
The Specify Port Configuration Options screen appears.
Select Manual, specify the location of the staticports.ini file, and click Next.
The Select High Availability Option screen appears.
Figure 4-4 Oracle Universal Installer Select High Availability Option Screen
Select OracleAS Cluster (Identity Management), as shown in Figure 4-4, and click Next.
The Create or Join an OracleAS Cluster (Identity Management) screen appears.
Figure 4-5 Oracle Universal Installer Create or Join an OracleAS Cluster (Identity Management) Screen
Select Create a New OracleAS Cluster, as shown in Figure 4-5, and click Next.
The Specify New OracleAS Cluster Name screen appears.
Figure 4-6 Oracle Universal Installer Specify New OracleAS Cluster Name Screen
Complete the New OracleAS Cluster Name field with a name for the cluster, as shown in Figure 4-6, and click Next.
Note:
Write down the cluster name. You will need to provide it in subsequent installations of instances that will join the cluster.The Specify LDAP Virtual Host and Ports screen appears.
Figure 4-7 Oracle Universal Installer Specify LDAP Virtual Host and Ports Screen
Enter the name of the Load Balancing Router, the SSL port, and the non-SSL port, as shown in Figure 4-7.
Click Next.
The Specify OID Login screen appears.
Complete the fields and click Next.
The Specify HTTP Load Balancer and Listen Ports screen appears.
Figure 4-8 Oracle Universal Installer Specify HTTP Load Balancer Host and Listen Ports Screen
Enter the listen port of the HTTP Server and the host name and port of the HTTP Load Balancer, enabling the SSL option for the load balancer, as shown in Figure 4-8.
Click Next.
The Specify Instance Name and ias_admin Password screen appears.
Specify the instance name and password and click Next.
The Summary screen appears.
Review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.
The Install screen appears with a progress bar. On UNIX systems, a dialog opens prompting you to run the root.sh script.
Open a window and run the script.
The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.
Click Exit, and then confirm your choice to exit.
Follow these steps to test the first Identity Management installation with the Oracle Internet Directory:
Stop all components on OIDHOST1, using this command:
ORACLE_HOME/opmn/bin/opmnctl stopall
Ensure that all components on OIDHOST2 are running:
ORACLE_HOME/opmn/bin/opmnctl status
Access the following URL:
https://IDMHOST1.mycompany.com/pls/orasso
Follow these steps to install Identity Management on IDMHOST2:
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Application Server Quick Installation Guide in the Oracle Application Server platform documentation library for the platform and version you are using.
Copy the staticport.ini file from the Disk1/stage/Response directory to the Oracle home directory.
Edit the staticport.ini file and uncomment these entries:
Oracle HTTP Server port = 7777 Oracle HTTP Server Listen port = 7777 Application Server Control port = 1810
Note:
See Section A.3, "Using the Static Ports Feature with Oracle Universal Installer" on page A-2 for more information.Start the Oracle Universal Installer as follows:
On UNIX, issue this command: runInstaller
On Windows, double-click setup.exe
The Welcome screen appears.
Click Next.
On UNIX systems, the Specify Inventory Directory and Credentials screen appears.
Specify the directory you want to be the oraInventory directory and the operating system group that has permission to write to it.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the oraInstRoot.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Specify File Locations screen appears with default locations for:
The product files for the installation (Source)
The name and path to an Oracle home (Destination)
Note:
Ensure that the Oracle home directory path for IDMHOST1 is the same as the path to the Oracle home location of IDMHOST2. For example, if the path to the Oracle home on IDMHOST1 is:/u01/app/oracle/product/AS10gSSO
then the path to the Oracle home on IDMHOST2 must be:
/u01/app/oracle/product/AS10gSSO
Specify the Destination Name and Path, if different from the default, and click Next.
The Select a Product to Install screen appears.
Figure 4-9 Oracle Universal Installer Select a Product to Install Screen
Select OracleAS Infrastructure 10g, as shown in Figure 4-9, and click Next.
The Select Installation Type screen appears.
Figure 4-10 Oracle Universal Installer Select Installation Type Screen
Select Identity Management as shown in Figure 4-10, and click Next.
The Confirm Pre-Installation Requirements screen appears.
Ensure that the requirements are met and click Next.
The Select Configuration Options screen appears.
Figure 4-11 Oracle Universal Installer Select Configuration Options Screen
Select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication, as shown in Figure 4-11.
Click Next.
The Select High Availability Option screen appears.
Figure 4-12 Oracle Universal Installer Select High Availability Option Screen
Select OracleAS Cluster (Identity Management), as shown in Figure 4-12, and click Next.
The Create or Join an OracleAS Cluster (Identity Management) screen appears.
Figure 4-13 Oracle Universal Installer Create or Join an OracleAS Cluster (Identity Management) Screen
Select Join an Existing OracleAS Cluster, as shown in Figure 4-5, and click Next.
The Specify Existing OracleAS Cluster Name screen appears.
Figure 4-14 Oracle Universal Installer Specify Existing OracleAS Cluster Name Screen
Complete the Existing OracleAS Cluster Name field with the name you provided for the cluster when installing the first instance, as shown in Figure 4-6, and click Next.
The Specify LDAP Virtual Host and Ports screen appears.
Figure 4-15 Oracle Universal Installer Specify LDAP Virtual Host and Ports Screen
Enter the name of the Load Balancing Router, the SSL port, and the non-SSL port, as shown in Figure 4-7.
Click Next.
The Specify OID Login screen appears.
Complete the fields and click Next.
The Specify HTTP Load Balancer and Listen Ports screen appears.
Figure 4-16 Oracle Universal Installer Specify HTTP Load Balancer Host and Listen Ports Screen
Enter the listen port of the HTTP Server and the host name and port of the HTTP Load Balancer, enabling the SSL option for the load balancer, as shown in Figure 4-16.
Click Next.
The Specify Instance Name and ias_admin Password screen appears.
Specify the instance name and password and click Next.
The Summary screen appears.
Review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.
The Install screen appears with a progress bar. On UNIX systems, a dialog opens prompting you to run the root.sh script.
Open a window and run the script.
The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.
Click Exit, and then confirm your choice to exit.
Follow the steps in this section to reconfigure OracleAS Single Sign-On and Oracle Delegated Administration Services.
Ensure that:
The Oracle Identity Management instance is started (status is Up).
You have the Oracle Internet Directory host and port numbers.
You have the password for cn=orcladmin, or another user who is a member of the iASAdmins group
Issue the command ssocfg.sh (UNIX) or (Windows) in IDMHOST1_ORACLE_HOME/sso/bin and IDMHOST2_ORACLE_HOME/sso/bin:
ssocfg.sh https login.mycompany.com 443
In the preceding command, login.mycompany.com is the VIP hostname for the Load Balancing Router.
On IDMHOST1 and IDMHOST2, set the environment variables ORACLE_HOME and ORACLE_SID.
Issue the command ssoreg.sh (UNIX), or ssoreg.bat (Windows) in IDMHOST1_ORACLE_HOME/sso/bin:
ssoreg.sh -oracle_home_path $ORACLE_HOME
-config_mod_osso TRUE
-site_name login.mycompany.com:443
-remote_midtier
-config_file $ORACLE_HOME/Apache/Apache/conf/osso/myosso.conf
-mod_osso_url https://myapp.mycompany.com:443
In the example, myossof.conf is the name of the resulting obfuscated osso configuration file created.
Copy the myosso.conf file to WEBHOST1_ORACLE_HOME/Apache/Apache/conf/osso and WEBHOST2_ORACLE_HOME/Apache/Apache/conf/osso.
Configure mod_osso by following the instructions for the Oracle HTTP Server version in use:
Release 3 (10.1.3):
Issue this command on WEBHOST1 and WEBHOST2:
(UNIX) ORACLE_HOME/Apache/Apache/bin/osso1013 config_file
(Windows) perl ORACLE_HOME/Apache/Apache/bin/osso1013 config_file
Release 3 (10.1.2):
Copy the obfuscated osso configuration file created in Step 4 to the ORACLE_HOME/Apache/Apache/conf/osso directory in WEBHOST1 and WEBHOST2:
Modify the ORACLE_HOME/Apache/Apache/conf/httpd.conf file by uncommenting the Include mod_osso.conf directive.
Modify the ORACLE_HOME/Apache/Apache/conf/mod_osso.conf file to add this directive:
OssoConfigFile $ORACLE_HOME/Apache/Apache/conf/osso/osso.conf
Copy the IDMHOST1_ORACLE_HOME/sso/conf/sso_apache.conf file to WEBHOST1.
Modify the WEBHOST1_ORACLE_HOME/Apache/Apache/conf/httpd.conf file to add this directive:
Include sso_apache.conf
Modify the sso_apache.conf file on WEBHOST1 to enable the SSL section and comment out the rewrite section (only the section shown in the example is enabled).
<IfDefine SSL>
Oc4jExtractSSL on
<Location /sso>
SSLOptions +ExportCertData +StdEnvVars
</Location>
</IfDefine>
Copy the sso_apache.conf file from WEBHOST1 to WEBHOST2.
Modify the WEBHOST2_ORACLE_HOME/Apache/Apache/conf/httpd.conf file to add this directive:
Include sso_apache.conf
Use these commands to identify the AJP port on IDMHOST1 and IDMHOST2:
IDMHOST1_ORACLE_HOME/opmn/bin/opmnctl status -l
IDMHOST2_ORACLE_HOME/opmn/bin/opmnctl status -l
Modify the WEBHOST1_ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf and WEBHOST2_ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf files by substituting the port values obtained in Step 21 for AJP port 1 and AJP port 2 in the Oc4jMount directives). This configuration directs OracleAS Single Sign-On and Oracle Delegated Administration Services requests to the identity management server using the AJP protocol.
<IfModule mod_oc4j.c> ... Oc4jMount /oiddas ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /oiddas/* ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /sso ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /sso/* ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /ssohelp ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /ssohelp/* ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /pls ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 Oc4jMount /pls/* ajp13://IDMHOST1:AJP port1,IDMHOST2:AJP port2 ... </IfModule>
Configure Oracle Delegated Administration Services by adding the following to WEBHOST1_ORACLE_HOME/Apache/Apache/conf/mod_osso.conf:
<IfModule mod_osso.c>
# for oiddas protected region
<Location /oiddas/ui/oracle/ldap/das>
require valid-user
AuthType Basic
</Location>
</IfModule>
<IfModule mod_alias.c>
# Define the alias which maps the "/uixi/" URI to
# the current version of the UIX installables
Alias /uixi/ "ORACLE_HOME/uix/cabo/"
# Turn on browser caching for the UIX installables
<Location /uixi>
# Use mod_headers to set the cache-control header
Header set cache-control "Public"
# Use mod_expires to set the expires header to some
# date in the distant future
ExpiresActive on
ExpiresDefault "access plus 364 days"
</Location>
</IfModule>
Copy WEBHOST1_ORACLE_HOME/Apache/Apache/conf/mod_osso.conf to WEBHOST2_ORACLE_HOME/Apache/Apache/conf/, changing the ORACLE_HOME value in Alias /uixi/ "ORACLE_HOME/uix/cabo/" to specify WEBHOST2_ORACLE_HOME.
Configure the Oracle HTTP Server with the Load Balancing Router by adding the following to WEBHOST1_ORACLE_HOME/Apache/Apache/conf/httpd.conf:
Add the LoadModule certheaders_module directive for the appropriate platform.
UNIX Apache 1.3:
LoadModule certheaders_module libexec/mod_certheaders.so
UNIX Apache 2.0; use this directive if you plan to use Apache 2.0 on UNIX:
LoadModule certheaders_module modules/mod_certheaders.so
Windows:
LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
Add the following lines to create a NameVirtualHost directive and a VirtualHost container for myapp.mycompany.com and port 443.
Apache 1.3:
NameVirtualHost *:7777 <VirtualHost *:7777> ServerName myapp.mycompany.com Port 443 ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit SimulateHttps On </VirtualHost>
Apache 2.0:
NameVirtualHost *:7777 <VirtualHost *:7777> ServerName myapp.mycompany.com:443 ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit SimulateHttps On </VirtualHost>
Notes:
TheLoadModule directives (in particular, the LoadModule rewrite_module directive) must appear in the httpd.conf file at a location preceding the VirtualHost directives. The server must load all modules before it can execute the directives in the VirtualHost container.
It is a good idea to create the VirtualHost directives at the end of the httpd.conf file.
Copy WEBHOST1_ORACLE_HOME/Apache/Apache/conf/httpd.conf to WEBHOST2_ORACLE_HOME/Apache/Apache/conf/.
Restart the Oracle HTTP Server.
After both Identity Management configurations are complete, test the configurations as follows:
Stop all components on APPHOST1, using this command:
ORACLE_HOME/opmn/bin/opmnctl stopall
Ensure that all components on APPHOST2 are running, using this command:
ORACLE_HOME/opmn/bin/opmnctl status
Access the following URLs from two browsers:
https://login.mycompany.com/pls/orasso
https://login.mycompany.com/oiddas
Start all components from APPHOST1, using this command:
ORACLE_HOME/opmn/bin/opmnctl startall
Stop all components on APPHOST2, using this command:
ORACLE_HOME/opmn/bin/opmnctl stopall
Ensure that the login session is still valid for the orasso and oiddas logins.
Access the Application Server Control Console at:
http://s.us.oracle.com:8888/em
A login dialog opens.
Provide the user name and password that was set during installation and click Login.
The Farm page appears.
Select the application server instance.
A login dialog opens.
Provide the user name and password that was set during installation and click OK.
Select the OC4J_SECURITY OC4J instance.
The OC4J_SECURITY page appears.
Click Administration.
Click Replication Properties.
Check the Replicate session state box and enter values for Multicast Host and Multicast Port.
Click Apply.
Restart the OC4J_SECURITY instance.
Follow these instructions on IDMHOST1 and IDMHOST2 to disable the Oracle HTTP Server on the Identity Management tier.
Edit the ORACLE_HOME/opmn/bin/opmn.xml file to change the Oracle HTTP Server status to disabled, as shown in bold.
<ias-component id="HTTP_Server" status="disabled" > <process-type id="HTTP_Server" module-id="OHS"> <module-data>...</ias-component>
Issue this command in ORACLE_HOME/opmn/bin:
opmnctl stopall
Issue this command in ORACLE_HOME/opmn/bin:
opmnctl startall
