| Oracle® Application Server Installation Guide 10g (10.1.4.0.1) for Microsoft Windows Part Number B28192-01 |
|
|
View PDF |
| Oracle® Application Server Installation Guide 10g (10.1.4.0.1) for Microsoft Windows Part Number B28192-01 |
|
|
View PDF |
This chapter describes how to install Oracle Application Server in OracleAS Cluster (Identity Management) configurations.
Section 9.1, "OracleAS Cluster (Identity Management): Introduction"
Section 9.2, "Pre-Installation Steps for OracleAS Cluster (Identity Management)"
Section 9.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server"
Section 9.5, "Installing an OracleAS Cluster (Identity Management) Configuration"
Section 9.6, "Installing a Distributed OracleAS Cluster (Identity Management) Configuration"
Section 9.8, "Installing Middle Tiers Against OracleAS Cluster (Identity Management) Configurations"
In OracleAS Cluster (Identity Management) configurations, the Oracle Identity Management components and the OracleAS Metadata Repository run on separate nodes. All the nodes in an OracleAS Cluster (Identity Management) configuration are active. Requests from clients, such as middle tiers, are directed to a load balancer, which then directs the requests to one of the active nodes. See Figure 9-1.
These nodes can belong to a hardware cluster, but this is not required.
These configurations are called "OracleAS Cluster (Identity Management)" because the OracleAS Single Sign-On and Oracle Delegated Administration Services components are clustered. This means that these components are configured identically across nodes.
Database (OracleAS Metadata Repository) Requirement
You need an existing OracleAS Metadata Repository before installing an OracleAS Cluster (Identity Management) configuration. You can install OracleAS Metadata Repository in one of the following methods:
Install OracleAS Metadata Repository in a new database by using the Oracle Application Server installer.
Install the OracleAS Metadata Repository in an existing database using the OracleAS RepCA. See the Oracle Application Server Metadata Repository Creation Assistant User's Guide for supported database configurations.
For OracleAS Cluster (Identity Management) configurations, Oracle recommends using a high availability database configuration such as Real Application Clusters or cold failover cluster.
You can only install one OracleAS Cluster (Identity Management) on an OracleAS Metadata Repository.
|
Note: For OracleAS Cluster (Identity Management) configurations, you never select the "Oracle Identity Management and OracleAS Metadata Repository" option in the installer. You always select the Oracle Identity Management option. This is why you need an existing OracleAS Metadata Repository. |
Always Select the Same Components
Because the installer clusters the components in an OracleAS Cluster (Identity Management) configuration, you need to select the same components in the Select Configuration Options screen for all the nodes in the cluster.
For example, if you select Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services for the installation on node 1, then you have to select the same set of components in subsequent installations.
Clustering will fail if you select different components in each installation.
Configurations
You can install OracleAS Cluster (Identity Management) in these configurations:
OracleAS Cluster (Identity Management). See Section 9.5.
Distributed OracleAS Cluster (Identity Management). See Section 9.6.
Before installing an OracleAS Cluster (Identity Management) configuration, you need to set up the following items:
Section 9.2.1, "Use the Same Path for the Oracle Home Directory (recommended)"
Section 9.2.3, "Configure Virtual Server Names and Ports for the Load Balancer"
For all the nodes that will be running Oracle Identity Management components, use the same full path for the Oracle home. This practice is recommended, but not required.
Synchronize the system clocks on all nodes so they are running within 250 seconds of each other. When synchronizing the system clocks, make sure the clocks are set to the same time zone.
Note: If you do not synchronize the clocks, then there will be inconsistent operation attributes in the directory entries and inconsistent behavior of the password state policies. As a result, you will see unwanted instance failovers.
Configure your load balancer with two virtual server names and associated ports:
Configure a virtual server name for LDAP connections. For this virtual server, you need to configure a port for SSL connections.
|
Note: It is recommended that the same port you configured for SSL connections on the LDAP virtual server is configured as the SSL port for Oracle Internet Directory on the nodes on which you will be installing Oracle Internet Directory. |
Configure a virtual server name for HTTP connections. For this virtual server, you also need to configure a port for either SSL or non-SSL connections. If you want the client to connect to the load balancer using HTTPS, configure a port for SSL connections. If you want the client to connect to the load balancer using HTTP, configure a port for non-SSL connections.
|
Note: The ports for the HTTP virtual server can be different from the Oracle HTTP ServerListen ports. |
The installer will prompt you for the virtual server names and port numbers. Enter the same virtual server name in the installer that you used to configure the LDAP and HTTP virtual servers. The virtual server name may or may not be fully-qualified. For example, if you used a fully-qualified host name when you configured the LDAP virtual server, then you must enter the same fully-qualified host name in the installer.
|
Note: The installer does not check the load balancer. Make sure the load balancer is properly configured and enabled before running the installer. |
In addition, check the following:
Check that the virtual server names are associated with IP addresses and are part of your DNS. The nodes that will be running Oracle Application Server must be able to resolve these virtual server names.
Configure the LDAP virtual server on your load balancer to direct requests to node 1 initially. The procedure to add additional nodes differs depending upon whether or not your load balancer supports LDAP service monitoring.
Note that these procedures apply only to the LDAP virtual server configured on your load balancer. They do not apply to the HTTP virtual server configured on your load balancer.
If your load balancer supports LDAP service monitoring, then you can add all the nodes to the LDAP virtual server before starting the installation.
For example, if you have three nodes:
Configure the LDAP virtual server to direct requests to node 1 only.
Add node 2 to the LDAP virtual server.
Add node 3 to the LDAP virtual server.
Install Oracle Identity Management components on node 1.
Install Oracle Identity Management components on node 2.
Install Oracle Identity Management components on node 3.
If your load balancer does not support LDAP service monitoring, then configure your LDAP virtual server to direct requests to node 1 only before starting the installation. After you complete an installation on a node, then you can add that node to the virtual server.
For example, if you have three nodes:
Configure the LDAP virtual server to direct requests to node 1 only.
Install Oracle Identity Management components on node 1.
Install Oracle Identity Management components on node 2.
Add node 2 to the LDAP virtual server.
Install Oracle Identity Management components on node 3.
Add node 3 to the LDAP virtual server.
In OracleAS Cluster (Identity Management) configurations, you install Oracle Internet Directory on multiple nodes, and in each installation, you enter the instance password in the "Specify Instance Name and ias_admin Password" screen.
The password specified in the first installation is used as the password for the cn=orcladmin and orcladmin users not just in the first Oracle Internet Directory, but in all Oracle Internet Directory installations in the cluster.
This means that to access the Oracle Internet Directory on any node, you have to use the password that you entered in the first installation. You cannot use the passwords that you entered in subsequent installations.
Accessing the Oracle Internet Directory includes:
Logging into Oracle Delegated Administration Services (URL: http://hostname:port/oiddas)
Logging into OracleAS Single Sign-On (URL: http://hostname:port/pls/orasso)
Connecting to Oracle Internet Directory using the Oracle Directory Manager
You still need the passwords that you entered in subsequent installations for logging into Application Server Control.
When you are installing OracleAS Cluster (Identity Management) configurations, the installer displays the "Specify HTTP Load Balancer Host and Listen Ports" screen.
This screen has two sections:
In the load balancer section, you specify the load balancer's HTTP virtual server name and port number. You also indicate whether the port is for SSL or non-SSL requests.
In the Oracle HTTP Server section, you specify the port number that you want for the Oracle HTTP Server Listen port. You also indicate whether the port is for SSL or non-SSL requests.
The virtual server and the Oracle HTTP Server Listen port can use different port numbers.
You use this screen to set up the type of communication (SSL or non-SSL) between client, load balancer, and Oracle HTTP Server. Three cases are possible:
Case 1: Communications between clients and the load balancer use HTTP, and communications between the load balancer and Oracle HTTP Server also use HTTP. See Section 9.4.1, "Case 1: Client ---[HTTP]---> Load Balancer ---[HTTP]---> Oracle HTTP Server".
Case 2: Communications between clients and the load balancer use HTTPS, and communications between the load balancer and Oracle HTTP Server also use HTTPS. See Section 9.4.2, "Case 2: Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server".
Case 3: Communications between clients and the load balancer use HTTPS, but communications between the load balancer and Oracle HTTP Server use HTTP. See Section 9.4.3, "Case 3: Client ---[HTTPS]---> Load Balancer ---[HTTP]---> Oracle HTTP Server".
|
Note: Because the values you specify in this dialog override the values specified in the staticports.ini file, you should not specify port numbers for the Oracle HTTP ServerListen port in the staticports.ini file. |
HTTP Listener: Port: Enter the port number that you want to use as the Oracle HTTP Server Listen port. This will be the value of the Listen directive in the httpd.conf file. Enable SSL: Do not select this option. The installer tries the default port number for the SSL port.
HTTP Load Balancer: Hostname: Enter the name of the virtual server on the load balancer configured to handle HTTP requests.
HTTP Load Balancer: Port: Enter the port number that the HTTP virtual server listens on. This will be the value of the Port directive in the httpd.conf file. Enable SSL: Do not select this option.
Example
Table 9-1 Example for Case 1
| Values in Screen | Resulting Values in Configuration Files |
|---|---|
|
HTTP Listener: Port: 8000 Enable SSL: Unchecked HTTP Load Balancer: Port: 80 Enable SSL: Unchecked |
In Port 80 Listen 8000 In Port <default port number assigned by installer> Listen <default port number assigned by installer> |
HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. This will be the value of the Listen directive in the ssl.conf file. Enable SSL: Select this option.
HTTP Load Balancer: Hostname: Enter the name of the virtual server on the load balancer configured to handle HTTPS requests.
HTTP Load Balancer: Port: Enter the port number that the HTTP virtual server listens on. This will be the value of the Port directive in the ssl.conf file. Enable SSL: This option has been automatically selected and cannot be deselected. This is because you selected Enable SSL for the HTTP Listener.
In opmn.xml, the installer sets the ssl-enabled line in the Oracle HTTP Server section to true.
Example
Table 9-2 Example for Case 2
| Values in Screen | Resulting Values in Configuration Files |
|---|---|
|
HTTP Listener: Port: 90 Enable SSL: Checked HTTP Load Balancer: Port: 443 Enable SSL: Checked |
In Port <default port number assigned by installer> Listen <default port number assigned by installer> In Port 443 Listen 90 |
Note that in this case you will have to perform an additional post-configuration step. See Section 9.7.3, "Update targets.xml (Case 2 only)".
HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. This will be the value of the Listen directive in the httpd.conf file. Enable SSL: Do not select this option.
HTTP Load Balancer: Hostname: Enter the name of the virtual server on the load balancer configured to handle HTTPS requests.
HTTP Load Balancer: Port: Enter the port number that the HTTP virtual server listens on. This will be the value of the Port directive in the httpd.conf file. Enable SSL: Select this option.
Note that in this configuration, the load balancer must have SSL acceleration capabilities, or you must add a separate SSL Accelerator. The conversion from HTTPS to HTTP happens before Oracle HTTP Server receives the request. The SSL accelerator must be properly configured prior to installation. The installer does not check for this.
The installer will change the following lines:
In opmn.xml, the installer sets the ssl-enabled line in the Oracle HTTP Server section to true.
In httpd.conf, the installer adds the following lines:
LoadModule certheaders_module libexec/mod_certheaders.so SimulateHttps on
Example
Table 9-3 Example for Case 3
| Values in Screen | Resulting Values in Configuration Files |
|---|---|
|
HTTP Listener: Port: 9000 Enable SSL: Unchecked HTTP Load Balancer: Port: 443 Enable SSL: Checked |
In Port 443 Listen 9000 In Port <default port number assigned by installer> Listen <default port number assigned by installer> |
In this configuration, you need an existing database that is already running in a configuration supported by the OracleAS RepCA. Oracle recommends running the database in a high availability environment, such as a Real Application Clusters database. You also need additional nodes (at least two nodes) to run Oracle Identity Management components. In this configuration, Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services run on each node. If you want to distribute these components, see Section 9.6, "Installing a Distributed OracleAS Cluster (Identity Management) Configuration".
These nodes are accessed through a load balancer. See Figure 9-1.
You install the OracleAS Metadata Repository in your existing database, then install Oracle Identity Management components against this database.
Oracle Directory Integration Platform Is Started on the First Node Only
The installer starts Oracle Directory Integration Platform only on the first node, even though you selected it on subsequent nodes as well. On subsequent nodes, the installer configures Oracle Directory Integration Platform, but does not start it.
If You Want Oracle Internet Directory to Listen on SSL Ports Only
If you want Oracle Internet Directory to listen on SSL ports only, perform this configuration after you have installed Oracle Identity Management. You need Oracle Internet Directory to be listening on both SSL and non-SSL ports when you install OracleAS Single Sign-On and Oracle Delegated Administration Services.
Figure 9-1 OracleAS Cluster (Identity Management) Configuration
Subsections:
Section 9.5.3, "Installing OracleAS Cluster (Identity Management) on the First Node"
Section 9.5.4, "Installing OracleAS Cluster (Identity Management) on Subsequent Nodes"
To create an OracleAS Cluster (Identity Management) configuration:
Install the OracleAS Metadata Repository in your existing database.
Install the Oracle Identity Management on each node. You run the installer on each node separately.
|
Note: If you want to configure Oracle Internet Directory to listen on SSL ports only, perform this configuration after you have installed Oracle Identity Management. Oracle Internet Directory needs to be listening on both SSL and non-SSL ports when you install OracleAS Single Sign-On and Oracle Delegated Administration Services. |
Install middle tiers.
To install the OracleAS Metadata Repository in your existing database, you use the OracleAS RepCA. See the Oracle Application Server Metadata Repository Creation Assistant User's Guide for details.
Run the installer on each node where you want to install Oracle Identity Management components.
Note that the procedure for installing Oracle Identity Management components on the first node is different from installing the components on subsequent nodes. To install the components on subsequent nodes, see Section 9.5.4, "Installing OracleAS Cluster (Identity Management) on Subsequent Nodes".
Subsections:
If you want to use custom ports for components other than Oracle HTTP Server or Oracle Internet Directory, you need to create a staticports.ini file for this installation.
If you want custom ports for Oracle HTTP Server or Oracle Internet Directory, you specify them in the "Specify HTTP Load Balancer Host and Listen Ports" and the "Specify Host and Port for LDAP" screens.
If you specify custom ports for Oracle HTTP Server and Oracle Internet Directory also in the staticports.ini file, and you also specify ports in the screens mentioned above, the ports specified in the screens take precedence.
To avoid specifying Oracle HTTP Server and Oracle Internet Directory ports in the staticports.ini file, the staticports.ini file must not contain these lines:
Oracle HTTP Server port = port_num Oracle HTTP Server Listen port = port_num Oracle HTTP Server SSL port = port_num Oracle HTTP Server Listen (SSL) port = port_num Oracle Internet Directory port = port_num Oracle Internet Directory (SSL) port = port_num
If you have a staticports.ini file, you should also use the same file for installations on subsequent nodes.
Before installing on the first node, you must make sure that TCP monitoring is not enabled for the Virtual IP on the first node.
It is highly recommended that you configure the load balancer virtual server to return immediately to the calling client when the backend services to which it forwards traffic are unavailable. This is preferred over the client disconnecting on its own after a timeout based on the TCP/IP settings on the client machine.
If your load balancer is not configured this way, the Java Security Configuration Assistant may report the following:
WARNING: DCM service may not be available at this time to synchronize $ORACLE_HOME/j2ee/home/config/jazn-data.xml file.
Refer to Section F.3.17, "WARNING: DCM service may not be available at this time" for information on how to correct this problem after the installation is finished.
|
See Also: The Oracle Application Server High Availability Guide for more information on load balancer requirements. |
When you perform the installation on the first node, you need to specify an OracleAS Metadata Repository that is not registered with any Oracle Internet Directory. The installer checks for this. If the installer finds that the OracleAS Metadata Repository is already registered with an Oracle Internet Directory, then it assumes that you are installing on subsequent nodes, and that you want to join the cluster that was created when you installed on the first node. It prompts you for the existing cluster name, and the connect information for the Oracle Internet Directory.
You must select the same components in the Select Configuration Options screen when installing on each node. For example, if you select Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services on the first node, you must select these same set of components on subsequent nodes.
Follow the steps in Table 9-4.
Key Points for Installing on the First Node
In the Select Configuration Options screen, select High Availability and Replication, in addition to selecting the components.
In the Select High Availability or Replication Option screen, select OracleAS Cluster (Identity Management).
Table 9-4 Steps for Installing OracleAS Cluster (Identity Management) on the First Node
| Screen | Action | |
|---|---|---|
|
1. |
-- |
Start up the installer and complete the first few screens. See Section 4.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Identity Management. |
|
2. |
Select Configuration Options |
Select Oracle Internet Directory. Select Oracle Application Server Single Sign-On. Select OracleAS Delegated Administration Services. Select Oracle Directory Integration Platform. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
|
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 9.5.3.1, "Create staticports.ini File". Click Next. |
|
4. |
Specify Repository |
When you install on the first node, you need to specify an OracleAS Metadata Repository that is not registered with an Oracle Internet Directory. When you install on subsequent nodes, then the OracleAS Metadata Repository is registered with the Oracle Internet Directory on the first node. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the names of all the nodes where the Real Application Clusters database is running, and the port numbers. Use the format: host1.domain.com:port1, host2.domain.com:port2, ... Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
|
5. |
Select High Availability or Replication Option |
Select OracleAS Cluster (Identity Management), and click Next. |
|
6. |
Specify New Oracle Application Server Clusters Name |
Enter a name for the new OracleAS Cluster (Identity Management). Note that the cluster name is case-sensitive. Oracle recommends that you record the cluster name for use during installations on subsequent nodes. Example: Click Next. |
|
7. |
Specify Namespace in Internet Directory |
Select the suggested namespace, or enter a custom namespace for the location of the default Oracle Identity Management realm. Ensure the value shown in Suggested Namespace meets your deployment needs. If not, enter the desired value in Custom Namespace. See Section 4.16, "What Do I Enter in the "Specify Namespace in Internet Directory" Screen?". Click Next. |
|
8. |
Specify Host and Port for LDAP |
The values you enter in this screen depend on your scenario. There are two possible scenarios: Scenario 1: You have configured a virtual server on your load balancer to handle LDAP traffic from Oracle Delegated Administration Services and OracleAS Single Sign-On to Oracle Internet Directory. Scenario 2: You do not have a load balancer. Hostname: In scenario 1, enter the name of the virtual server in this field. Enter the same virtual server name that you configured on the load balancer. In scenario 2, if the Oracle Internet Directory is highly available, enter the virtual hostname of the computer running Oracle Internet Directory. For Oracle Internet Directory deployments that are not highly available, enter the physical hostname of the computer running Oracle Internet Directory. Notes on the port values for scenario 2 (see Section 9.2.3, "Configure Virtual Server Names and Ports for the Load Balancer" for details):
SSL Port: In scenario 1, enter the port configured on the virtual server to handle SSL LDAP connections. In scenario 2, enter the port that you want Oracle Internet Directory to use for SSL connections. The standard port number for SSL LDAP connections is 636, but you can use any port that you want. Click Next. |
|
9. |
Specify HTTP Listen Port, Load Balancer Host and Port |
See Section 9.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server" for details. HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. Enable SSL: Select this option if you want to configure Oracle HTTP Server for SSL on this port. HTTP Load Balancer: Hostname: Enter the name of the HTTP virtual server configured on your load balancer. Enter the same virtual server name that you configured on the load balancer. HTTP Load Balancer: Port: Enter the port for the HTTP virtual server. Enable SSL: Select this option if this port is for SSL communications only. Click Next. |
|
10. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 3.4, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 3.5, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
|
11. |
-- |
Finish the installation. See Section 4.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
You run the installer on each node where you want to install Oracle Identity Management components. Use this procedure to install Oracle Identity Management components on nodes other than the first. For the first node, see Section 9.5.3, "Installing OracleAS Cluster (Identity Management) on the First Node".
Key Points for Installing on Subsequent Nodes
Use the same staticports.ini file that you used for installing on the first node to ensure that the same component on all nodes uses the same port number.
Note that the Oracle Internet Directory ports specified in staticports.ini will not be used by the installer. The installer queries the first Oracle Identity Management installation for the Oracle Internet Directory ports.
In the Specify HTTP Load Balancer Host and Ports screen, enter the name of the HTTP virtual server of the load balancer, and the associated port. You also enter the port number for Oracle HTTP Server on this screen.
Follow the steps in Table 9-5.
Table 9-5 Steps for Installing OracleAS Cluster (Identity Management) on Subsequent Nodes
| Screen | Action | |
|---|---|---|
|
1. |
-- |
Start up the installer and complete the first few screens. See Section 4.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
|
2. |
Select Configuration Options |
Select Oracle Internet Directory. Select Oracle Application Server Single Sign-On. Select OracleAS Delegated Administration Services. Select Oracle Directory Integration Platform. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
|
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 9.5.3.1, "Create staticports.ini File". Click Next. |
|
4. |
Specify Repository |
Specify the OracleAS Metadata Repository that is registered with the Oracle Internet Directory on the first node. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the names of all the nodes where the Real Application Clusters database is running, and the port numbers. Use the format: host1.domain.com:port1, host2.domain.com:port2, ... Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
|
5. |
Warning |
This warning reminds you that you are installing this instance as part of an OracleAS Cluster (Identity Management), and that you need to synchronize the clocks on the nodes in the cluster. See Section 9.2.2, "Synchronize Clocks on All Nodes". Click OK. |
|
6. |
Specify Existing Oracle Application Server Clusters Name |
Specify an existing OracleAS Cluster (Identity Management) for the current instance to join. The cluster was created during a previous identical installation. Note that the cluster name is case-sensitive. Example: Click Next. |
|
7. |
Specify ODS Password |
Enter the password for the ODS schema in the OracleAS Metadata Repository. The ODS schema is the main schema used by Oracle Internet Directory. By default, the ODS password is the same as the ias_admin password (the password that you entered in the Specify Instance Name and ias_admin Password screen). Click Next. |
|
8. |
Specify Host and Port for LDAP |
The values you enter on this screen are the same as the values you entered when you did the installation on the first node. The installer uses these values to connect to the Oracle Internet Directory on the first node. Hostname: Enter the LDAP virtual server name of the load balancer. Enter the same virtual server name that you configured on the load balancer. SSL Port: Enter the port configured on this load balancer to handle LDAP SSL connections. Click Next. |
|
9. |
Warning |
This warning reminds you to setup the LDAP virtual server to direct requests to existing OracleAS Cluster (Identity Management) nodes, and then add this node to the LDAP virtual server after installation. See Section 9.2.4, "Configure Your LDAP Virtual Server". Click OK. |
|
10. |
Specify Oracle Internet Directory Login |
Username: Enter the username to log in to Oracle Internet Directory. You need to log in as the Oracle Internet Directory superuser ( Password: Enter the password for the username. Realm: Enter the realm against which to validate the username. This field appears only if your Oracle Internet Directory has multiple realms. Click Next. |
|
11. |
Specify HTTP Load Balancer Host and Ports |
See Section 9.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server" for details. The values you enter on this screen are the same as the values you entered when you did the installation on the first node. HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. Enable SSL: Select this option if you want to configure Oracle HTTP Server for SSL on this port. HTTP Load Balancer: Hostname: Enter the name of the HTTP virtual server configured on your load balancer. Enter the same virtual server name that you configured on the load balancer. HTTP Load Balancer: Port: Enter the port for the HTTP virtual server. Enable SSL: Select this option if this port is for SSL communications only. Click Next. |
|
12. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 3.4, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 3.5, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
|
13. |
-- |
Finish the installation. See Section 4.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
In this configuration, you need an existing database that is already running in a configuration that is supported by OracleAS RepCA. Oracle recommends running the database in a high availability environment, such as a Real Application Clusters database. This database will contain the OracleAS Metadata Repository.
You also need two nodes to run OracleAS Single Sign-On and Oracle Delegated Administration Services components, and two additional nodes to run Oracle Internet Directory. These nodes are accessed through load balancers. See Figure 9-2.
Oracle Directory Integration Platform Is Started on the First Node Only
The installer starts Oracle Directory Integration Platform only on the first node, even though you selected it on subsequent nodes as well. On subsequent nodes, the installer configures Oracle Directory Integration Platform, but does not start it.
If You Want Oracle Internet Directory to Listen on SSL Ports Only
If you want Oracle Internet Directory to listen on SSL ports only, perform this configuration after you have installed OracleAS Single Sign-On and Oracle Delegated Administration Services. You need Oracle Internet Directory to be listening on both SSL and non-SSL ports when you install OracleAS Single Sign-On and Oracle Delegated Administration Services.
Figure 9-2 Distributed OracleAS Cluster (Identity Management) Configuration
Subsections:
Section 9.6.3, "Installing Oracle Internet Directory on the First Node"
Section 9.6.4, "Installing Oracle Internet Directory on Subsequent Nodes"
To create a distributed OracleAS Cluster (Identity Management) configuration:
Install OracleAS Metadata Repository in your existing database.
Install Oracle Internet Directory on each node. You run the installer on each node separately.
|
Note: If you want to configure Oracle Internet Directory to listen on SSL ports only, perform this configuration after you have installed OracleAS Single Sign-On and Oracle Delegated Administration Services. Oracle Internet Directory needs to be listening on both SSL and non-SSL ports when you install OracleAS Single Sign-On and Oracle Delegated Administration Services. |
Install OracleAS Single Sign-On and Oracle Delegated Administration Services on each node. You run the installer on each node separately.
Install middle tiers.
To install the OracleAS Metadata Repository in your existing database, you use the OracleAS RepCA. See the Oracle Application Server Metadata Repository Creation Assistant User's Guide for details.
You run the installer on each node separately to install the Oracle Identity Management components.
When installing Oracle Internet Directory on the first node, you do not need a load balancer. You can set up and configure the load balancer later. However it is recommended that the port numbers used by Oracle Internet Directory and by the load balancer are the same.
To do this, create a staticports.ini file to specify port numbers that you want Oracle Internet Directory to use. Your load balancer will use the same port numbers for LDAP communications. The staticports.ini file should contain these lines:
Oracle Internet Directory port = port_num Oracle Internet Directory (SSL) port = port_num
If you are setting up the second node as a failover to the first node, then you must select the same set of components in the Select Configuration Options screen for each installation. For example, if you select Oracle Internet Directory and Oracle Directory Integration Platform on the first node, you need to select them when installing on subsequent nodes.
To install Oracle Internet Directory on the first node, follow the steps in Table 9-6.
To install Oracle Internet Directory on subsequent nodes, see Section 9.6.4, "Installing Oracle Internet Directory on Subsequent Nodes".
Key Points
You must select the same components in the Select Configuration Options screen on all nodes. For example, if you select both Oracle Internet Directory and Oracle Directory Integration Platform on the first node, you must select them on subsequent nodes in this tier.
Table 9-6 Steps for Installing Oracle Internet Directory in a Distributed OracleAS Cluster (Identity Management) on the First Node
| Screen | Action | |
|---|---|---|
|
1. |
-- |
Start up the installer and complete the first few screens. See Section 4.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
|
2. |
Select Configuration Options |
Select Oracle Internet Directory. Do not select Oracle Application Server Single Sign-On. Do not select OracleAS Delegated Administration Services. Select Oracle Directory Integration Platform if you need this component. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
|
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 9.6.3.1, "Set up staticports.ini File". Click Next. |
|
4. |
Specify Repository |
When you install on the first node, you need to specify an OracleAS Metadata Repository that is not already registered with an Oracle Internet Directory. When you install on subsequent nodes, then the OracleAS Metadata Repository is registered with the Oracle Internet Directory on the first node. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the name of the computer where the database is running, and the port number at which it is listening. Use the format: Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
|
5. |
Select High Availability or Replication Option |
Select OracleAS Cluster (Identity Management), and click Next. |
|
6. |
Specify Namespace in Internet Directory |
Select the suggested namespace, or enter a custom namespace for the location of the default Oracle Identity Management realm. Ensure the value shown in Suggested Namespace meets your deployment needs. If not, enter the desired value in Custom Namespace. See Section 4.16, "What Do I Enter in the "Specify Namespace in Internet Directory" Screen?". Click Next. |
|
7. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 3.4, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 3.5, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
|
8. |
-- |
Finish the installation. See Section 4.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
Before performing the steps in this section, you must have installed Oracle Internet Directory on the first node as described in Section 9.6.3, "Installing Oracle Internet Directory on the First Node".
You do not need a staticports.ini file for this installation because the installer will configure this Oracle Internet Directory to use the same ports as the Oracle Internet Directory on the first node.
The Oracle Internet Directory on the first node must be up and running.
If you are setting up the second node as a failover to the first node, then you must select the same set of components in the Select Configuration Options screen for each installation. For example, if you select OracleAS Single Sign-On and Oracle Delegated Administration Services on the first node, you need to select them when installing on subsequent nodes.
To install Oracle Internet Directory on subsequent nodes, follow these steps:
Table 9-7 Steps for Installing Oracle Internet Directory in a Distributed OracleAS Cluster (Identity Management) on Subsequent Nodes
| Screen | Action | |
|---|---|---|
|
1. |
-- |
Start up the installer and complete the first few screens. See Section 4.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
|
2. |
Select Configuration Options |
Select Oracle Internet Directory. Do not select Oracle Application Server Single Sign-On. Do not select OracleAS Delegated Administration Services. Select Oracle Directory Integration Platform if you need this component. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
|
3. |
Specify Port Configuration Options |
Select Automatic. The installer configures Oracle Internet Directory to use the same ports as the Oracle Internet Directory on the first node. Click Next. |
|
4. |
Specify Repository |
Enter the same connect information that you entered for the first Oracle Internet Directory. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the name of the computer where the database is running, and the port number at which it is listening. Use the format: Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
|
5. |
Warning |
This warning reminds you that you are installing this instance as part of an OracleAS Cluster (Identity Management), and that you need to synchronize the clocks on the nodes in the cluster. See Section 9.2.2, "Synchronize Clocks on All Nodes". Click OK. |
|
6. |
Specify ODS Password |
Enter the password for the ODS schema in the OracleAS Metadata Repository. The ODS schema is the main schema used by Oracle Internet Directory. By default, the ODS password is the same as the ias_admin password (the password that you entered in the Specify Instance Name and ias_admin Password screen). Click Next. |
|
7. |
Specify Oracle Internet Directory Login |
Username: Enter the username to log in to the first Oracle Internet Directory. You must log in as the Oracle Internet Directory superuser ( Password: Enter the password for the username. Realm: Enter the realm against which to validate the username. This field appears only if your Oracle Internet Directory has multiple realms. Click Next. |
|
8. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 3.4, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 3.5, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
You run the installer on each node separately to install these Oracle Identity Management components.
If you want to use custom ports for components other than Oracle HTTP Server, you need to create a staticports.ini file for this installation.
If you want custom ports for Oracle HTTP Server, you specify them in the "Specify HTTP Load Balancer Host and Listen Ports" screen.
If you specify custom ports for Oracle HTTP Server also in the staticports.ini file, and you also specify ports in the screen mentioned above, the ports specified in the screen take precedence.
To avoid specifying Oracle HTTP Server ports in the staticports.ini file, the staticports.ini file must not contain these lines:
Oracle HTTP Server port = port_num Oracle HTTP Server Listen port = port_num Oracle HTTP Server SSL port = port_num Oracle HTTP Server Listen (SSL) port = port_num
If you have a staticports.ini file, you should also use the same file for installations on subsequent nodes.
Key Points
In the Specify OracleAS Cluster screen, for the first node, select Create a New Cluster. For the second node, select Join an Existing Cluster to join the cluster that you created when installing on the first node.
In the Specify HTTP Load Balancer Host and Ports screen, enter the name of the HTTP virtual server of the load balancer, and the associated port. You also enter the port number for Oracle HTTP Server on this screen.
Also in the Specify HTTP Load Balancer Host and Ports screen, you need to specify the same HTTP virtual server name and port number for all nodes. However, you can specify different port numbers for Oracle HTTP Server on each node, as long as your load balancer is configured to communicate with the specified port on that node.
Table 9-8 Steps for Installing Oracle Delegated Administration Services and OracleAS Single Sign-On in a Distributed OracleAS Cluster (Identity Management) Configuration
| Screen | Action | |
|---|---|---|
|
1. |
-- |
Start up the installer and complete the first few screens. See Section 4.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
|
2. |
Select Configuration Options |
Do not select Oracle Internet Directory. Select Oracle Application Server Single Sign-On. Select OracleAS Delegated Administration Services. Select Oracle Directory Integration Platform if you need this component. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
|
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 9.6.5.1, "Set up staticports.ini File". Click Next. |
|
4. |
Select High Availability Option |
Select OracleAS Cluster (Identity Management), and click Next. |
|
5. |
Create or Join an OracleAS Cluster (Identity Management) |
For the first node, select Create a New OracleAS Cluster. For subsequent nodes, select Join an Existing Cluster. Click Next. |
|
6. |
Specify New OracleAS Cluster Name - or - Specify Existing OracleAS Cluster Name |
For the first node, enter a name for a new OracleAS Cluster (Identity Management). Example: For subsequent nodes, enter the name of the existing OracleAS Cluster (Identity Management). Note: Be very sure that the cluster name you enter is correct. The installer does not perform any checks on this name. If the name is incorrect, the installation will fail. Click Next. |
|
7. |
Specify Host and Port for LDAP |
The installer will use the values on this screen to connect to Oracle Internet Directory. Hostname: Enter the LDAP virtual server name of the load balancer. Enter the same virtual server name that you configured on the load balancer. SSL Port: Enter the port configured on this load balancer to handle LDAP SSL connections. Click Next. |
|
8. |
Specify Oracle Internet Directory Login |
Username: Enter the username to log in to Oracle Internet Directory, accessed through the load balancer host and port specified in the previous screen. Log in as the Oracle Internet Directory superuser ( Password: Enter the password for the username. Realm: Enter the realm against which to validate the username. This field appears only if your Oracle Internet Directory has multiple realms. Click Next. |
|
9. |
Specify HTTP Load Balancer Host and Ports |
See Section 9.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server" for details. The values entered on this screen should be the same for every node. HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. Enable SSL: Select this option if you want to configure Oracle HTTP Server for SSL on this port. HTTP Load Balancer: Hostname: Enter the name of the HTTP virtual server configured on your load balancer. Enter the same virtual server name that you configured on the load balancer. HTTP Load Balancer: Port: Enter the port for the HTTP virtual server. Enable SSL: Select this option if this port is for SSL communications only. Click Next. |
|
10. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 3.4, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 3.5, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
|
11. |
-- |
Finish the installation. See Section 4.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
After installing Oracle Identity Management components on all nodes, reconfigure your load balancer to direct requests to all nodes. Before you started the installation, you had configured the load balancer to direct requests to node 1 only. See Section 9.2.4, "Configure Your LDAP Virtual Server".
This section contains the following post-installation steps:
To ensure that Oracle Application Server maintains the state of stateful Web applications across DCM-Managed OracleAS Cluster, you need to configure state replication for the Web applications. Configure state replication only on the first node where Oracle Delegated Administration Services is installed.
To configure state replication for the OC4J_Security instance, do the following:
Using the Application Server Control Console, navigate to the Application Server Home page for the instance that contains Oracle Delegated Administration Services.
Select the OC4J_SECURITY link on the Application Server Home page.
Select the Administration link on the OC4J Home Page.
Select the Replication Properties link in the Instance Properties area.
Scroll down to the Web Applications section. Figure 9-3 shows this section.
Figure 9-3 Web State Replication Configuration
Select the Replicate session state checkbox.
Optionally, you can provide the multicast host IP address and port number. If you do not provide the host and port for the multicast address, it defaults to host IP address 230.230.0.1 and port number 9127. The host IP address must be between 224.0.0.2 through 239.255.255.255. Do not use the same multicast address for both HTTP and EJB multicast addresses.
|
Note: When choosing a multicast address, ensure that the address does not collide with the addresses listed in:
Also, if the low order 23 bits of an address is the same as the local network control block, 224.0.0.0 – 224.0.0.255, then a collision may occur. To avoid this problem, provide an address that does not have the same bits in the lower 23 bits of the address as the addresses in this range. |
Although it is recommended that the ports for the LDAP virtual server and the Oracle Internet Directory are the same, it is possible for the ports to be different.
See the section "Changing Oracle Internet Directory Ports" in the Oracle Application Server Administrator's Guide for details on changing the Oracle Internet Directory ports.
The following configuration steps are needed only in the installation scenario described in Section 9.4.2, "Case 2: Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server".
In this case the oracle_sso_server entry in the targets.xml file, on each physical host of the cluster, must be reconfigured to monitor the local SSL port.
|
Note: Keep in mind that the hostname should remain the same. Please do not change the hostname. |
Perform the following steps to update targets.xml on each node of the cluster:
Back up the targets.xml file:
cp ORACLE_HOME/sysman/emd/targets.xml
ORACLE_HOME/sysman/emd/targets.xml.BACKUP
Open the file and find the oracle_sso_server target type. Within this target entry, locate and edit the following two attributes:
HTTPPort - the server SSL port number
HTTPProtocol - the server protocol, which in this case is HTTPS
For example, you could update the two attributes this way:
<Property NAME="HTTPPort" VALUE="4443"/> <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
Save and close the file.
Reload the OracleAS console:
ORACLE_HOME/bin/emctl reload
Pre-Installation
Before starting the middle-tier installation, configure the LDAP load balancer that you are using for Oracle Internet Directory so that it points to only one Oracle Internet Directory node.
Installation
When installing middle tiers against OracleAS Cluster (Identity Management) configurations, follow the steps for middle tier installation described in Oracle Application Server Installation Guide for the middle tier release you are using.
When the installer prompts for the Oracle Internet Directory host and port, enter the LDAP virtual host name configured on the load balancer and the associated port.
Post-Installation
After installing the middle tiers, you can reconfigure the LDAP load balancer to point to all the Oracle Internet Directory nodes.
