Skip Headers
Oracle® Application Server High Availability Guide
10g (10.1.4.0.1)
Part Number B28186-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

10 Deploying Identity Management with Multimaster Replication

This chapter provides high-level instructions for installing Oracle Identity Management components with Oracle Internet Directory multimaster replication. This chapter assumes that you are familiar with Oracle Application Server components, including: Oracle Internet Directory, OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration Platform. You should also be familiar with Oracle Internet Directory replication concepts.

You might find the following documentation pointers useful:

For information on See:
Running a replicated Oracle Internet Directory
Deploying Oracle Identity Management with fan-out replication Oracle Identity Management Infrastructure Administrator's Guide
Using Oracle Directory Integration Platform with Oracle Internet Directory Oracle Identity Management Integration Guide
Using Oracle Delegated Administration Services with Oracle Internet Directory Oracle Identity Management Guide to Delegated Administration

Keep the following points in mind when using the command-line tools mentioned in this chapter:

This chapter contains the following sections:

10.1 Multimaster Identity Management Replication Configuration

Figure 10-1 shows an Oracle Application Server topology with Oracle Internet Directory and OracleAS Single Sign-On running in multimaster replication mode. The master Oracle Internet Directory instance runs on Host 1, the replica on Host 3. Each Oracle Internet Directory instance has its own database. A load balancer directs LDAP requests to the Oracle Internet Directory instances.

Host 2 and Host 4 run OracleAS Single Sign-On and Oracle Delegated Administration Services. On Host 2, these components use the Oracle Internet Directory on Host 1. Similarly, on Host 4, these components use the Oracle Internet Directory on Host 3. Note that these components access Oracle Internet Directory directly, without going through the load balancer. This means that OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 2 always access the Oracle Internet Directory on Host 1, and the same components on Host 4 always access the Oracle Internet Directory on Host 3. You can think of Host 1 and Host 2 as one "stack", and Host 3 and Host 4 as another "stack".

Because OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 2 and Host 4 use different metadata repositories, you cannot place them in the same OracleAS Cluster. Figure 10-1 shows them in different clusters. On Host 2, OracleAS Single Sign-On and Oracle Delegated Administration Services are in a cluster called dcmCluster1, and on Host 4, they are in a different cluster called dcmCluster2. In Figure 10-1 each cluster contains only one Oracle Application Server instance. You can add more instances to each cluster, if you want. See Section 10.1.10, "Installing Additional OracleAS Single Sign-On / Oracle Delegated Administration Services Instances in Each Replication Stack" for details.

A load balancer directs requests to OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 2 and Host 4. The load balancer can direct requests to these components on either host (despite the fact that these components on each host use different Oracle Internet Directory instances and do not belong to the same cluster) because these components reference a replicated Oracle Internet Directory / OracleAS Single Sign-On environment, which keeps the Oracle Internet Directory-managed data in the two databases synchronized.

See Section 10.1.9, "Load Balancer Configuration in a Multimaster Replication Scenario" for details on configuring the load balancers in this topology.

Steps to Create this Topology

To create this topology, perform these steps:

Table 10-1 Steps for Creating Multimaster Topology


 Step See this section

1.

Install Oracle Internet Directory and Oracle Directory Integration Platform on the master node (Host 1).

Section 10.1.1, "Installing on the Master Node"

2.

Install Oracle Internet Directory and Oracle Directory Integration Platform on the replica node (Host 3).

Section 10.1.2, "Installing on the Replica Node"

3.

Configure Oracle Internet Directory for replication.

Section 10.1.3, "Setting up Multimaster Replication"

4.

Install OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 2.

Section 10.1.4, "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Master Node"

5.

Synchronize the OracleAS Single Sign-On password.

Section 10.1.5, "Synchronizing the OracleAS Single Sign-On Schema Password"

6.

Install OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 4.

Section 10.1.6, "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Replica Node"

Figure 10-1 Multimaster Replication Topology

Figure described in text.

10.1.1 Installing on the Master Node

Install Oracle Internet Directory and Oracle Directory Integration Platform on the master node as follows:

  • In the Oracle Application Server installer on Host 1: select Identity Management and Metadata Repository in the Select Installation Type screen, and select Oracle Internet Directory and Oracle Directory Integration Platform in the Select Configuration Options screen. This chapter refers to this Oracle home on Host 1 as the MASTER_HOME.

  • Do not install any other Identity Management components such as OracleAS Single Sign-On or Oracle Delegated Administration Services on Host 1.

10.1.2 Installing on the Replica Node

Install Oracle Internet Directory with OracleAS Metadata Repository on the replica node as follows:

  • In the Oracle Application Server installer on Host 3:

    Select Identity Management and Metadata Repository in the Select Installation Type screen.

    Select Oracle Internet Directory, Oracle Directory Integration Platform, High Availability and Replication in the Select Configuration Options screen.

    This chapter refers to this Oracle home on Host 3 as the REPLICA_HOME. This Oracle home will have only Oracle Internet Directory with OracleAS Metadata Repository and Oracle Directory Integration Platform. The OracleAS Metadata Repository database should have a unique global database name.

  • Do not install any other Oracle Identity Management components, such as OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 3.


Note:

When installing the replica, be sure to select High Availability and Replication in the Select Configuration Options screen so that the installer will prompt you for the replication type. It will ask you to select ASR Replica or LDAP Replica. Select ASR Replica.

10.1.3 Setting up Multimaster Replication

To set up the master and the replica nodes for replication, perform the following tasks described in the Oracle Internet Directory Administrator's Guide:

Item Name
Book Oracle Internet Directory Administrator's Guide

This book is available in the Oracle Application Server documentation set.
Chapter 30, "Oracle Internet Directory Replication Installation and Configuration"
Section 30.3.2, "Installing and Configuring a Multimaster Replication Group"
Task Task 3: Set Up Oracle Database Advanced Replication for a Directory Replication Group

Task 5: Ensure that Oracle Directory Server Instances Are Started on All the Nodes

Task 6: Start the Replication Servers on All Nodes in the DRG

Task 7: Test Directory Replication

10.1.4 Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Master Node

On the master node (Host 2 in Figure 10-1), install OracleAS Single Sign-On and Oracle Delegated Administration Services so that these components use the OracleAS Metadata Repository and Oracle Internet Directory on Host 1. To do this, make the following selections in the installation screens:

  1. Specify File Locations - enter the destination directory where you want to install OracleAS Single Sign-On and Oracle Delegated Administration Services.

  2. Select a Product to Install - select Oracle Application Server Infrastructure.

  3. Select Installation Type - select Identity Management.

  4. Confirm Pre-Installation Requirements - verify that you meet the requirements and select all the checkboxes.

  5. Select Configuration Options - select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication.

  6. Specify Port Configuration Options - select Automatic.

  7. Select High Availability Option - select OracleAS Cluster (Identity Management).

  8. Create or Join an Oracle Application Server Cluster (Identity Management) - select Create a New Oracle Application Server Cluster.

  9. Specify New Oracle Application Server Cluster Name - enter a name for the new cluster (for example: dcmCluster1).

  10. Specify LDAP Virtual Host and Ports - enter the physical hostname of Host 1 (not the virtual name configured on the load balancer), and the necessary ports for Oracle Internet Directory.

  11. Specify Oracle Internet Directory Login - enter the login and password for Oracle Internet Directory.

  12. Specify HTTP Listen Port, Load Balancer Host and Port - enter the port number that you want to use for Oracle HTTP Server in HTTP Listener Port. In HTTP Load Balancer Hostname and Port, enter the HTTP virtual hostname configured on the load balancer and the port number configured for the virtual hostname.

  13. Specify Instance Name and ias_admin Password - enter a name for this Oracle Application Server instance, and the password for the ias_admin user.

10.1.5 Synchronizing the OracleAS Single Sign-On Schema Password

To synchronize the OracleAS Single Sign-On schema password between the master Metadata Repository database (MDS) and the replica Metadata Repository database (RMS), follow the steps in the following section:

Item Name
Book Oracle Application Server Single Sign-On Administrator's Guide

This book is available in the Oracle Application Server documentation set.
Chapter 9, "Advanced Deployment Options"
Section 9.2.2, "Configuring the Identity Management Database for Replication"
Step Perform step 2.

Whenever you add a new OracleAS Single Sign-On and Oracle Delegated Administration Services replica, you must first perform this step from the master Oracle home on the replica to synchronize the OracleAS Single Sign-On schema password with the OracleAS Metadata Repository.


Note:

If you encounter errors, the OracleAS Metadata Repository might be misconfigured. Either the MDS or RMS might not have the correct database information, as used by OracleAS Single Sign-On.

10.1.6 Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Replica Node

Install OracleAS Single Sign-On and Oracle Delegated Administration Services on the replica node as follows:

  1. On Host 4, install OracleAS Single Sign-On and Oracle Delegated Administration Services so that these components use the Metadata Repository and Oracle Internet Directory on the replica node (Host 3 in Figure 10-1). To do this, follow the screen sequence shown in Section 10.1.4, "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Master Node", with the following differences:

    • In step 8, you also create a new cluster. You cannot join this instance (on Host 4) with the instance on Host 2 in the same cluster because the instances use different OracleAS Metadata Repositories.

    • In step 9, enter a different cluster name (for example: dcmCluster2).

    • In step 10, enter the physical hostname for Host 3 instead of Host 1, because you want OracleAS Single Sign-On and Oracle Delegated Administration Services to use the Oracle Internet Directory running on Host 3.

  2. Synchronize the mod_osso configuration from the master middle tier, as described in the following section:

    Item Name
    Book Oracle Application Server Single Sign-On Administrator's Guide

    This book is available in the Oracle Application Server documentation set.
    Chapter 9, "Advanced Deployment Options"
    Section 9.1.2.3, "Configuration Steps"
    Step Reregister mod_osso on the single sign-on middle tiers

  3. Repeat this procedure to install additional OracleAS Single Sign-On and Oracle Delegated Administration Services instances, as needed.

10.1.7 If You Are Running in SSL Mode

If you selected the SSL option when installing the OracleAS Single Sign-On and Oracle Delegated Administration Services components, be aware of the following situation that can cause an error when running in SSL mode.

When both nodes (Node 2 and Node 4 in Figure 10-1) running OracleAS Single Sign-On and Oracle Delegated Administration Services are active, you may see the following error in the browser when you try to access the OracleAS Single Sign-On Administrator page from the /pls/orasso URL:

Service Temporarily Unavailable
The server is temporarily unavailable to service your request due to
maintenance downtime or capacity problems. Please try again later.

In the error_log file, you may see the following error:

mod_plsql: /pls/orasso/ORASSO.home HTTP-503 ORA-20000   Call to WPG_SESSION
API Failed.

To fix this problem, check that your load balancer's persistence setting is configured correctly. If you are using OracleAS Web Cache as the load balancer, ensure that the session is set to "Any Set-Cookie", as shown in Figure 10-2.

If you are using a hardware load balancer, check the load balancer documentation and confirm that the load balancer's persistence setting is set to a value that supports SSL communication. If you are not sure which value to specify, contact the load balancer vendor directly.

For more information, see OracleMetaLink Note 372956.1. You can access OracleMetaLink at http://metalink.oracle.com.

Figure 10-2 In OracleAS Web Cache, Configure the Session to "Any Set-Cookie"

Description of Figure 10-2 follows
Description of "Figure 10-2 In OracleAS Web Cache, Configure the Session to "Any Set-Cookie""

10.1.8 Oracle Directory Integration Platform Event Propagation in a Multimaster Scenario

Oracle Directory Integration Platform supports high availability in an Oracle Internet Directory multimaster replicated scenario, with certain drawbacks. In this high availability scenario, when changes are applied to Oracle Internet Directory on one node, the changes get propagated to the other consumer nodes. The Oracle Directory Integration Platform server running on each node is responsible for event propagation to the configured applications on that node. That is, the applications that have provisioning profiles on that Oracle Internet Directory node will be informed of the changes happening on that Oracle Internet Directory node.


See Also:

Oracle Identity Management Integration Guide

10.1.9 Load Balancer Configuration in a Multimaster Replication Scenario

Figure 10-1 shows two load balancers: one for HTTP requests and one for LDAP requests. Note the following points when you configure these load balancers:

  • The LDAP load balancer does not accept requests from OracleAS Single Sign-On and Oracle Delegated Administration Services.

    OracleAS Single Sign-On and Oracle Delegated Administration Services should not use the LDAP load balancer because they need to send requests only to the Oracle Internet Directory in the same "stack", where a stack consists of OracleAS Single Sign-On and its corresponding Oracle Internet Directory. You associated this OracleAS Single Sign-On with its Oracle Internet Directory during installation (see step 10).

    For example, in Figure 10-1, OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 2 and the Oracle Internet Directory on Host 1 make up one stack, and OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 4 and the Oracle Internet Directory on Host 3 make up another stack.

  • All other LDAP requests (other than the ones from OracleAS Single Sign-On / Oracle Delegated Administration Services) should go through the LDAP load balancer. For example, requests from OracleAS Portal should go through the LDAP load balancer.

  • The HTTP load balancer should monitor both the OracleAS Single Sign-On servers and the Oracle Internet Directory servers on all nodes. It needs to do this so that it can ensure that the HTTP and LDAP requests are routed to the same "stack". For example, if the Oracle Internet Directory on Host 1 is down, then the HTTP load balancer should route HTTP requests only to the OracleAS Single Sign-On server on Host 4 because its Oracle Internet Directory server on Host 3 is up.

  • The HTTP load balancer should be configured for persistent routing of HTTP requests.

For details on deploying applications in a replicated environment, see section 3.3.2.7, "Application Deployments in Replicated Directory Environments", in the Oracle Identity Management Infrastructure Administrator's Guide.

10.1.10 Installing Additional OracleAS Single Sign-On / Oracle Delegated Administration Services Instances in Each Replication Stack

You can add OracleAS Single Sign-On and Oracle Delegated Administration Services instances to each of the OracleAS Clusters that you created previously in Section 10.1.4 and Section 10.1.6. Each cluster will provide redundancy for OracleAS Single Sign-On and Oracle Delegated Administration Services in each replica's stack.

To do this, follow the generic indications and recommendations for Distributed OracleAS Cluster (Identity Management) installations as described in the Oracle Application Server Installation Guide, and make the following selections in the installation screens:

  1. Specify File Locations - enter the destination directory where you want to install OracleAS Single Sign-On and Oracle Delegated Administration Services.

  2. Select a Product to Install - select Oracle Application Server Infrastructure.

  3. Select Installation Type - select Identity Management.

  4. Confirm Pre-Installation Requirements - verify that you meet the requirements and select all the checkboxes.

  5. Select Configuration Options - select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication.

  6. Specify Port Configuration Options - select Automatic.

  7. Select High Availability Option - select OracleAS Cluster (Identity Management).

  8. Create or Join an Oracle Application Server Cluster (Identity Management) - select Join an Oracle Application Server Cluster.

  9. Specify Existing OracleAS Cluster Name - enter the name of the cluster (for example: dcmCluster1 for the master (Host 1/Host 2) stack, or dcmCluster2 for the replica (Host 3/Host 4) stack).

  10. Specify LDAP Virtual Host and Ports - enter the physical hostname of Host 1 (not the virtual name configured on the load balancer), and the necessary ports for Oracle Internet Directory. If you are installing on the replica stack, enter the physical hostname of Host 3.

  11. Specify Oracle Internet Directory Login - enter the login and password for Oracle Internet Directory.

  12. Specify HTTP Listen Port, Load Balancer Host and Port - enter the port number that you want to use for Oracle HTTP Server in HTTP Listener Port. In HTTP Load Balancer Hostname and Port, enter the HTTP virtual hostname configured on the load balancer and the port number configured for the virtual hostname.

  13. Specify Instance Name and ias_admin Password - enter a name for this Oracle Application Server instance, and the password for the ias_admin user.

10.2 Adding a Node to a Multimaster Replication Group

To add a replication node to a functioning directory replication group (DRG), follow these steps.

  1. First, install the new node.

    Install Identity Management and Metadata Repository. This installation will have only the Metadata Repository, Oracle Internet Directory and Oracle Directory Integration Platform. The replica node Metadata Repository should have a unique global database name.

    Do not install other Identity Management components such as OracleAS Single Sign-On or Oracle Delegated Administration Services.

  2. Prepare the environment for adding a node.

    1. Configure the Oracle Net Services environment as described in Task 3, Installing and Configuring a Multimaster Replication Group, in the "Oracle Internet Directory Replication Administration" chapter of Oracle Internet Directory Administrator's Guide.

    2. Stop the directory replication server on all nodes

    3. Identify a sponsor node and switch the sponsor node to read-only mode

      Note: While the sponsor node is in read-only mode, do not make any updates to it. You may, however, update any of the other nodes, but those updates are not replicated immediately. Also, the sponsor node and the MDS can be the same node.

    4. Back up the sponsor node by using ldifwrite. Enter the following command:

      ORACLE_HOME/bin/ldifwrite -c connect_string  \
         -b "orclagreementid=000001,cn=replication configuration" \
         -f output_ldif_file

  3. Add the node into the replication group.

    1. Perform the Advanced Replication add node setup on the sponsor node by typing:

      ORACLE_HOME/bin/remtool -addnode

      The Replication Environment Management Tool adds the node to the DRG.


      Note:

      Note: If you encounter errors, then use remtool -asrverify. If it reports errors, then rectify them by using remtool -asrrectify. Both of those options list all the nodes in the DRG. If the node to be deleted is in the list, then delete it by running remtool -delnode again.

    2. Switch the sponsor node to updatable mode.

    3. Start the directory replication server on all nodes except the new node.

    4. Stop oidmon

    5. Load data into the new node, as follows:

      First do a check and generate by typing:

      ORACLE_HOME/ldap/bin/bulkload.sh \
  -connect <db_connect_string_of_new_node> \
  -check -generate -restore  \
  absolute_path_to_the_ldif_file_generated_by_ldifwrite

      Note:

      Verify that the ORACLE_HOME/ldap/log/bulkload.log does not report any errors. It is possible that you might see Duplicate entry errors in the log for some of the entries. You can safely ignore this error and proceed with the load.

      Now load the data on the target node by typing:

      ORACLE_HOME/ldap/bin/bulkload.sh \
  -connect db_connect_string_of_new_node \
  -load -restore  \
  absolute_path_to_the_ldif_file_generated_by_ldifwrite

  4. Start the directory server on the new node by typing the following command:

    ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID

  5. Start the directory replication server on the new node by typing:

    ORACLE_HOME/bin/oidctl connect=db_connect_string_of_new_node \
   server=oidrepld instance=1 \
   flags='-h host_name_of_new_node -p port'  start

  6. Install a new middle tier, based on the new replica node.

    1. Synchronize the OracleAS Single Sign-On schema passwords from MDS to the new node as described in Section 10.1.5, "Synchronizing the OracleAS Single Sign-On Schema Password".

    2. Install OracleAS Single Sign-On and Oracle Delegated Administration Services as described in Section 10.1.6, "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Replica Node".

    3. Configure the HTTP load balancer to distribute incoming traffic to this newly installed node.

10.3 Deleting a Node from a Multimaster Replication Group

You can delete a node from a DRG, provided the DRG contains more than two nodes. You might need to do so if the addition of a new node did not fully succeed as a result of system errors. To delete a replication node, perform these steps:

  1. Stop the directory replication server on all nodes. To do that, run the following command on each node in the DRG:

    ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld instance=1 stop

    Note:

    The instance number may vary.

  2. Stop all processes on the node to be deleted.

    1. Stop all processes in the associated middle tier Oracle homes.

      ORACLE_HOME/opmn/bin/opmnctl stopall

    2. On the node to be deleted, stop all Oracle Application Server processes including Oracle Internet Directory Monitor and all directory server instances.

      ORACLE_HOME/opmn/bin/opmnctl stopall

  3. Delete the node from the master definition site. From the MDS, run the following command:

    ORACLE_HOME/bin/remtool -delnode

    Note:

    If you encounter errors, then use remtool -asrverify. If it reports errors, then rectify them by using remtool -asrrectify. Both of those options list all nodes in the DRG. If the new node is not in the list, then add it by running remtool -addnode again.

  4. Start the directory replication server on all nodes by typing the following command:

    ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld \
  instance=1 flags='-h host -p port' start

  5. Decommission the removed node and its associated middle tier. You can optionally decommission the removed replicated node and associated middle tier by deinstalling the corresponding Oracle homes.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us