Skip Headers
Oracle® Application Server High Availability Guide
10g (10.1.4.0.1)

Part Number B28186-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

6 High Availability for Oracle Identity Federation

This chapter describes how to run Oracle Identity Federation in an OracleAS Cold Failover Cluster (or active-passive) topology. Running Oracle Identity Federation in an active-active configuration is not supported.

This chapter contains the following sections:

6.1 OracleAS Cold Failover Cluster Topology for Oracle Identity Federation

Figure 6-1 shows a diagram of Oracle Identity Federation in an OracleAS Cold Failover Cluster topology. Oracle Identity Federation runs within the OC4J_FED instance.

The OracleAS Cold Failover Cluster topology for Oracle Identity Federation is similar to other OracleAS Cold Failover Cluster topologies for Oracle Application Server:

Figure 6-1 Oracle Identity Federation in OracleAS Cold Failover Cluster Topology

Description of Figure 6-1 follows
Description of "Figure 6-1 Oracle Identity Federation in OracleAS Cold Failover Cluster Topology"

6.1.1 Installing Oracle Identity Federation in an OracleAS Cold Failover Cluster Topology on Linux

To install and configure Oracle Identity Federation in an OracleAS Cold Failover Cluster topology on Linux, perform the following steps:


Note:

These steps are similar to those for installing an OracleAS Cold Failover Cluster (Identity Management) topology. The only difference is that you install Oracle Identity Federation in step 2 below instead of Oracle Identity Management.

The procedure below provides only high-level steps. For detailed steps, see the referenced section in the Oracle Application Server Installation Guide for Linux.


  1. Perform pre-installation tasks:

    • Map the virtual hostname and IP address. [See Oracle Application Server Installation Guide for Linux, section 9.2.1, "Map the Virtual Hostname and Virtual IP Address".]

    • Set up a file system on the shared storage that can be mounted from either node. [See Oracle Application Server Installation Guide for Linux, section 9.2.2, "Set Up a File System That Can Be Mounted from Both Nodes".]

    • If you are planning to use the Automatic Storage Management feature in the Oracle database, see Oracle Application Server Installation Guide for Linux, section 9.2.3, "Review recommendations for Automatic Storage Management".

    • Check that the clusterware is running. [See Oracle Application Server Installation Guide for Linux, section 9.2.4, "Check That Clusterware Is Running".]

  2. Install Oracle Identity Federation on the shared storage. See the "Installing Oracle Identity Federation" chapter in the Oracle Identity Federation Administrator's Guide.


    Installation Notes:

    To run Oracle Identity Federation in an OracleAS Cold Failover Cluster topology, you need to select the Advanced option in the installer. This enables you to:

 

6.1.2 Installing Oracle Identity Federation in an OracleAS Cold Failover Cluster Topology on Windows

On Windows, the installation procedure involves more steps because you have to install Oracle Fail Safe on both nodes in the hardware cluster, and you also have to make sure that the Windows registry on both nodes are set up correctly for Oracle Fail Safe and Oracle Application Server.

On Windows, you need to install and run Oracle Fail Safe on the nodes in the hardware cluster. These nodes must already be running Microsoft Cluster Server. Oracle Fail Safe and Microsoft Cluster Server act as the clusterware for the hardware cluster. They monitor the hardware as well as the software running on the nodes.

To install and configure Oracle Identity Federation in an OracleAS Cold Failover Cluster topology on Windows, perform the following steps:


Note:

These steps are similar to those for installing an OracleAS Cold Failover Cluster (Identity Management) topology. The only difference is that you install Oracle Identity Federation in step 5 below instead of Oracle Identity Management.

The procedure below provides only high-level steps. For detailed steps, see the referenced section in the Oracle Application Server Installation Guide for Windows.


  1. Perform pre-installation tasks:

    • Ensure that the Event Log Service is running. [See Oracle Application Server Installation Guide for Windows, section 9.2.1, "Ensure that the Event Log Service Is Running".]

    • Determine the virtual address for the hardware cluster. [See Oracle Application Server Installation Guide for Windows, section 9.2.2, "Get a Virtual Address for the Cluster".]

    • Verify that Microsoft Cluster Server (MSCS) is installed on both nodes in the hardware cluster. [See Oracle Application Server Installation Guide for Windows, section 9.2.3, "Verify that Microsoft Cluster Server (MSCS) Is Installed on Both Nodes".]

    • Determine the name of the cluster. [See Oracle Application Server Installation Guide for Windows, section 9.2.4, "Determine the Name of the Cluster".]

    • Determine the domain user to administer Oracle Fail Safe. [See Oracle Application Server Installation Guide for Windows, section 9.2.5, "Determine a Domain User to Administer Oracle Fail Safe".]

  2. Install Oracle Fail Safe on the local storage of each node in the hardware cluster. [See Oracle Application Server Installation Guide for Windows, section 9.2.6, "Install Oracle Fail Safe on the Local Storage of Each Node".]

  3. Create a group in Oracle Fail Safe, and add these resources to the group: [See Oracle Application Server Installation Guide for Windows, section 9.2.7, "Create a Group in Oracle Fail Safe".]

    • Virtual IP address

    • Virtual hostname

    • Shared disk. You will add this using the Cluster Administrator tool in the next step.

  4. Use the Cluster Administrator tool to add the shared disk to the group you created in Oracle Fail Safe. [See Oracle Application Server Installation Guide for Windows, section 9.2.7, "Create a Group in Oracle Fail Safe".]

  5. From node 1, install Oracle Identity Federation on the shared disk in the hardware cluster. See the "Installing Oracle Identity Federation" chapter in the Oracle Identity Federation Administrator's Guide.


    Installation Notes:

    To run Oracle Identity Federation in an OracleAS Cold Failover Cluster topology, you need to select the Advanced option in the installer. This enables you to:

  6. On node 1, stop all processes and services running out of the Oracle Identity Federation Oracle home. Also, configure the services' startup type to Manual. [See Oracle Application Server Installation Guide for Windows, step 4, "Stop the Oracle Application Server Services on Node 1, and Set Their Startup Type to Manual", in section 9.5.2, "OracleAS Cold Failover Cluster (Identity Management): Details of Installation Steps".]

  7. Configure node 2 in the hardware cluster. This is to ensure that it is configured similarly for Oracle Identity Federation. [See Oracle Application Server Installation Guide for Windows, step 5, "Configure Node 2", in section 9.5.2, "OracleAS Cold Failover Cluster (Identity Management): Details of Installation Steps".]

    If the nodes in the hardware cluster are symmetrical, you can run some scripts to configure node 2 so that the registry settings, service settings, and Oracle inventory settings are identical on both nodes.

    If the nodes in the hardware cluster are asymmetrical, you need to install Oracle Identity Federation again, but this time from node 2. The installer then configures the registry on node 2. Before you perform the installation from node 2, you need to delete the first installation from the shared disk because you will be installing it again from the other node.

  8. Restart node 2. [See Oracle Application Server Installation Guide for Windows, step 6, "Restart Node 2", in section 9.5.2, "OracleAS Cold Failover Cluster (Identity Management): Details of Installation Steps".]

  9. Move the group that you created in Oracle Fail Safe to node 2. [See Oracle Application Server Installation Guide for Windows, step 7, "Move the Group to Node 2", in section 9.5.2, "OracleAS Cold Failover Cluster (Identity Management): Details of Installation Steps".]

  10. Start up the Oracle Identity Federation processes and services on node 2.

    You can run opmnctl to do this:

    > opmnctl startall
    
    

    This step is equivalent to Oracle Application Server Installation Guide for Windows: step 8, "Start up OracleAS Infrastructure Services on Node 2", in section 9.5.2, "OracleAS Cold Failover Cluster (Identity Management): Details of Installation Steps".

  11. Verify the installation by accessing the Application Server Control Console and the Oracle Identity Federation Administration Control pages in a browser. In the URL for these pages, you use the virtual hostname, not the physical hostname. For example:

    • The URL for Application Server Control Console might look like http://fed.mydomain.com:18103, assuming "fed.mydomain.com" is the virtual hostname, and 18103 is the port for Application Server Control Console.

    • The URL for Oracle Identity Federation Administration Console might look like http://fed.mydomain.com:7779/fedadmin, assuming "fed.mydomain.com" is the virtual hostname, and 7779 is the port for Oracle HTTP Server.

    This step is equivalent to Oracle Application Server Installation Guide for Windows, step 9, "Verify Installation", in section 9.5.2, "OracleAS Cold Failover Cluster (Identity Management): Details of Installation Steps".

  12. Add OPMN and Application Server Control Console to the list of processes that are to be monitored by Oracle Fail Safe, and also make the shared disk a dependency for OPMN. See the following sections in the Oracle Application Server Installation Guide for Windows for step details.

    Section 9.10.4, "Make OPMN Highly Available"

    Section 9.10.5, "Add the Shared Disk as a Dependency for OPMN"

    Section 9.10.6, "Make Application Server Control Console Highly Available"

 

6.1.3 Configuring Data Store for Oracle Identity Federation

To run Oracle Identity Federation in an OracleAS Cold Failover Cluster topology:

  • You need to configure Oracle Identity Federation to store federation data in an LDAP server (such as Oracle Internet Directory) or in a database (such as Oracle Database), instead of storing the data in memory.

  • You also need to configure Oracle Identity Federation to store transient data in a database, instead of storing the data in memory.

If you choose to store the federation and transient data in memory, the data would be lost if a node in the OracleAS Cold Failover Cluster topology goes down.

To configure Oracle Identity Federation to store the data in an LDAP server and Oracle database, select the Advanced option during installation, and then select the "Federation Data in LDAP Server" and "Federation Transient Data in Database" options. The installer displays screens in which you enter connect information for an LDAP server and Oracle database.

To ensure that the entire system is highly available, you should ensure that the backend servers (that is, the LDAP server and the database) used by Oracle Identity Federation are also highly available. For example, the database can be an Oracle Real Application Clusters (Oracle RAC) database.

6.1.4 Configuring Virtual Addressing

To run Oracle Identity Federation in an OracleAS Cold Failover Cluster topology, you need to configure Oracle Identity Federation with a virtual hostname. The virtual hostname (as opposed to a physical hostname) enables Oracle Identity Federation to run on either node in the hardware cluster.

You can configure the virtual hostname during installation by selecting the Advanced option, and selecting the Virtual Addressing Option. You then enter the virtual hostname in the Specify Virtual Hostname screen.

6.1.5 Monitoring Processes and Failing Over

Clusterware is needed on the nodes to monitor the health of the nodes. Clusterware is usually provided by the hardware vendor. If the active node fails, clusterware helps in failing over resources (such as the shared storage and the virtual hostname and IP address) to the passive node.

On Windows, you need Oracle Fail Safe and Microsoft Cluster Server as the clusterware.

Process Monitoring in Oracle Application Server

In Oracle Application Server, Oracle Process Manager and Notification Server (OPMN) monitors the OC4J_FED instance and Oracle HTTP Server. The OC4J_FED instance is the OC4J instance that runs Oracle Identity Federation.

If the OC4J_FED instance or Oracle HTTP Server fails, OPMN tries to restart it. If the restart fails, then the clusterware (Oracle Fail Safe, if on Windows) fails over all the processes to the passive node in the hardware cluster. Clients may experience a brief disruption of service, but after the failover is complete, clients should be able to access Oracle Identity Federation as usual.

6.2 Fast Connection Failover for Oracle Identity Federation

If your Oracle Identity Federation uses an Oracle 10g Oracle RAC database, you can configure Oracle Identity Federation to use the fast connection failover feature. Fast connection failover provides rapid detection and cleanup of invalid cached connections, and load balancing of available connections. For more information about fast connection failover, see the "Fast Connection Failover" chapter in the Oracle Database JDBC Developer's Guide and Reference.

To use fast connection failover, you also need to enable the implicit connection cache. Implicit connection caching is described in the "Implicit Connection Caching" chapter in the Oracle Database JDBC Developer's Guide and Reference.

To enable fast connection failover in Oracle Identity Federation:

  1. Insert the following line in the <data-source> element of the ORACLE_HOME/j2ee/OC4J_FED/config/data-sources.xml file for the OC4J_FED instance (which is the OC4J instance that runs Oracle Identity Federation):

    <property name='fastConnectionFailoverEnabled' value='true'/>
    
    
  2. Update the ORACLE_HOME/opmn/conf/ons.conf file in the Oracle Identity Federation Oracle home as follows:

    1. On the localport line, set the local port for the ONS daemon. The local port is used by local clients to communicate with the ONS daemon:

      localport=ONS_LOCAL_PORT
      
      

      You can determine the port number from the ORACLE_HOME/opmn/conf/opmn.xml file.

    2. On the remoteport line, set the remote port, which is the port used by other ONS daemons to communicate with this ONS daemon:

      remoteport=ONS_REMOTE_PORT
      
      

      You can determine the port number from the ORACLE_HOME/opmn/conf/opmn.xml file.

    3. On the nodes line, set the list of nodes that are running the other ONS daemons with which this ONS daemon needs to communicate.

      The format is a comma-delimited list of RAC_NODE:ONS_REMOTE_PORT. For example:

      nodes=RAC_NODE1:RAC_NODE1_ONS_REMOTE_PORT,RAC_NODE2:RAC_NODE2_ONS_REMOTE_PORT
      
      

      You can determine the remote port used by an ONS daemon by looking in the RAC_ORACLE_HOME/opmn/conf/ons.config file.

  3. Restart Oracle Identity Federation.

    ORACLE_HOME/opmn/bin/opmnctl stopall
    ORACLE_HOME/opmn/bin/opmnctl startall
    
    
  4. Update Oracle Identity Federation ONS details in the Oracle Cluster Registry (OCR) using the racgons command.

    1. In the Oracle home for the Oracle RAC database, navigate to the bin directory.

      cd RAC_ORACLE_HOME/bin
      
      
    2. Run the following command:

      racgons add_config FedServer_Node:FedServer_Node_ONS_Remote_Port
      
      

      You can determine the ONS remote port on the Oracle Identity Federation node by looking in the ORACLE_HOME/opmn/conf/opmn.xml file, where Oracle home is the installation directory for Oracle Identity Federation.

  5. Test ONS by running the following command in the Oracle Identity Federation Oracle Home:

    ORACLE_HOME/opmn/bin/opmnctl debug
    
    

    In the output, you should see the IP addresses of the Oracle RAC database nodes under "ONS Server Connections".