4 Installing and Configuring OID and OVD

This chapter describes how to install and configure Oracle Internet Directory (OID) and Oracle Virtual Directory (OVD) in the enterprise deployment.

This chapter includes the following topics:

Section 4.1, "Directory Tier Considerations"

Section 4.2, "Database Prerequisites"

Section 4.3, "Installing and Configuring the Database Repository"

Section 4.4, "Executing the Repository Creation Utility"

Section 4.5, "Installing the Oracle Internet Directory Instances"

Section 4.6, "Installing the Oracle Virtual Directory Instances"

Section 4.7, "Validating the Directory Tier Components"

Section 4.8, "Backing Up the Directory Tier Configuration"

4.1 Directory Tier Considerations

Using these naming conventions will simplify the installation and maintenance of the enterprise deployment:

• Use the same path for the Oracle home directory. For all the nodes that will be running Oracle Identity Management components, use the same full path for the Oracle home.

• Table 4-1 shows the names used in database configuration examples in this guide:

  Table 4-1 Values Used for Database Configuration Examples in This Manual

  Parameter	Value
  DB_NAME	idmdb
  INSTANCE_NAMES	idmdb1, idmdb2
  SERVICE_NAME	idmedg.mycompany.com

  
  

4.1.1 Directory Services-only Topologies

The topology shown in Figure 1-1 and discussed in this document represents a common deployment. However, customers may have different topology requirements. In some cases, only a subset of the components is needed. In other cases, certain components can be replaced by others.

Some customers may be interested in only deploying a directory services topology. See the following sections for more information about an Oracle Virtual Directory-only topology and an Oracle Internet Directory-only topology.

4.1.1.1 Oracle Virtual Directory-only Topology

For an Oracle Virtual Directory-only topology, do not install Oracle Internet Directory in the directory tier. Because Oracle Virtual Directory relies on Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager, the Administration Server for Oracle Enterprise manager and the WebLogic Server Managed Server for Oracle Directory Services Manager are required.

4.1.1.2 Oracle Internet Directory-only Topology

For an Oracle Internet Directory-only deployment, you can choose to deploy Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager by deploying the corresponding Administration Server and WebLogic Server Managed Server, respectively. This will create a WebLogic Server domain as the administrative domain for the Oracle Internet Directory instances.

For Oracle Internet Directory, the installer also offers a no-domain installation, meaning that a WebLogic Server domain will not be created. As a result, a no-domain Oracle Internet Directory installation will result in Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager not being deployed. The type of deployment is for customers who are familiar with managing Oracle Internet Directory through the command line and through LDAP commands. This deployment provides a leaner footprint for those interested in having just a LDAP server without the administration consoles.

For those interested in having Oracle Directory Integration Platform as an LDAP synchronization solution, the administration console should be deployed. The WebLogic Server Managed Server will be used for the Oracle Directory Integration Platform J2EE application as shown in the EDG topology in Figure 1-1.

4.2 Database Prerequisites

Before you begin to install and configure the directory tier components, you must perform these steps:

• Install and configure the Oracle database repository.

  This step is described in Section 4.3, "Installing and Configuring the Database Repository."

• Create the Oracle Identity Management schemas in the database using the Repository Creation Utility (RCU).

  This step is described in Section 4.4, "Executing the Repository Creation Utility."

Database versions supported

• Oracle Database 10g Release 2 (10.2.0.4 or higher)

• Oracle Database 11g Release 1 (11.1.0.7 or higher)

To determine the database version, execute this query:

SQL>select version from sys.product_component_version where product like 'Oracle%';

4.3 Installing and Configuring the Database Repository

Oracle Clusterware

• For 10g Release 2 (10.2), see the Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide.

• For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.

Automatic Storage Management

• For 10g Release 2 (10.2), see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide.

• For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.

• When you run the installer, select the Configure Automatic Storage Management option in the Select Configuration page to create a separate Automatic Storage Management home.

Oracle Real Application Clusters

• For 10g Release 2 (10.2), see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide.

• For 11g Release 1 (11.1), see Oracle Real Application Clusters Installation Guide.

4.3.1 Configuring the Database for Oracle Fusion Middleware 11g Metadata

Initialization Parameters

Update the following utilization parameters to the values shown below. These values are checked by the Repository Creation Utility (RCU). If these initialization parameters are not set to the values shown below, RCU will fail:

• processes: 500

• open_cursors: 500

• session_cached_cursors: 100

To check the values, you can use the SHOW PARAMETER command in SQL*Plus:

prompt> sqlplus "sys/password as sysdba"
SQL> SHOW PARAMETER processes

One common method of changing the parameter value is to use a command similar to the following and then stop and restart the database to make the parameter take effect:

prompt> sqlplus "sys/password as sysdba"
SQL> ALTER SYSTEM SET PROCESSES=500 SCOPE=SPFILE;

The method that you use to change a parameter's value depends on whether the parameter is static or dynamic, and on whether your database uses a parameter file or a server parameter file. See the Oracle Database Administrator's Guide for details on parameter files, server parameter files, and how to change parameter values.

Database Services

Oracle recommends using the Oracle Enterprise Manager Cluster Managed Services Page to create database services that client applications will use to connect to the database. For complete instructions on creating database services, see the chapter on Workload Management in the Oracle Real Application Clusters Administration and Deployment Guide.

You can also use SQL*Plus to configure your RAC database to automate failover for Oracle Internet Directory using the following instructions. Note that each of the following commands only has to be run on one node in the cluster:

1. Use the CREATE_SERVICE subprogram to both create the database service and enable high-availability notification and configure server-side Transparent Application Failover (TAF) settings:

   prompt> sqlplus "sys/password as sysdba"
   
   SQL> EXECUTE DBMS_SERVICE.CREATE_SERVICE
   (SERVICE_NAME => 'idmedg.mycompany.com',
   NETWORK_NAME => 'idmedg.mycompany.com',
   AQ_HA_NOTIFICATIONS => TRUE, 
   FAILOVER_METHOD => DBMS_SERVICE.FAILOVER_METHOD_BASIC, 
   FAILOVER_TYPE => DBMS_SERVICE.FAILOVER_TYPE_SELECT, 
   FAILOVER_RETRIES => 5, FAILOVER_DELAY => 5);
   

   The EXECUTE DBMS_SERVICE command above must be entered on a single line to execute properly.

2. Add the service to the database and assign it to the instances using srvctl:

   prompt> srvctl add service -d idmdb -s idmedg -r idmdb1,idmdb2
   

3. Start the service using srvctl:

   prompt> srvctl start service -d idmdb -s  idmedg
   

   Note:

   For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.

If you already have a service created in the database, make sure that it is enabled for high-availability notifications and configured with the proper server-side Transparent Application Failover (TAF) settings. Use the DBMS_SERVICE package to modify the service to enable high availability notification to be sent through Advanced Queuing (AQ) by setting the AQ_HA_NOTIFICATIONS attribute to TRUE and configure server-side Transparent Application Failover (TAF) settings, as shown below:

prompt> sqlplus "sys/password as sysdba"

SQL> EXECUTE DBMS_SERVICE.MODIFY_SERVICE
(SERVICE_NAME => 'idmedg.mycompany.com',
AQ_HA_NOTIFICATIONS => TRUE,
FAILOVER_METHOD => DBMS_SERVICE.FAILOVER_METHOD_BASIC, 
FAILOVER_TYPE => DBMS_SERVICE.FAILOVER_TYPE_SELECT, 
FAILOVER_RETRIES => 5, FAILOVER_DELAY => 5);

The EXECUTE DBMS_SERVICE command above must be entered on a single line to execute properly.

Note:

For more information about the DBMS_SERVICE package, see the Oracle Database PL/SQL Packages and Types Reference.

Verifying Transparent Application Failover

This section describes how to validate the Transparent Application Failover (TAF) configuration settings made earlier.

After the Oracle Internet Directory process has been started, you can query the FAILOVER_TYPE, FAILOVER_METHOD, and FAILED_OVER columns in the V$SESSION_VIEW to obtain information about connected clients and their TAF status.

For example, use the following SQL statement to verify that TAF is correctly configured:

SELECT MACHINE, FAILOVER_TYPE, FAILOVER_METHOD, FAILED_OVER, COUNT(*)
FROM V$SESSION
GROUP BY MACHINE, FAILOVER_TYPE, FAILOVER_METHOD, FAILED_OVER;

The output before failover is similar to this:

MACHINE              FAILOVER_TYPE FAILOVER_M  FAI   COUNT(*)
-------------------- ------------- ---------- ---- ----------
oidhost1             SELECT        BASIC       NO          11
oidhost1             SELECT        BASIC       NO           1

The output after failover is similar to this:

MACHINE              FAILOVER_TYPE FAILOVER_M  FAI   COUNT(*)
-------------------- ------------- ---------- ---- ----------
oidhost2             SELECT        BASIC       NO          11
oidhost2             SELECT        BASIC       NO           1

4.4 Executing the Repository Creation Utility

The Repository Creation Utility (RCU) ships on its own CD as part of the Oracle Fusion Middleware 11g kit.

You run RCU to create the collection of schemas used by Identity Management and Management Services.

1. Issue this command:

   prompt> RCU_HOME/bin/rcu &
   

2. On the Welcome screen, click Next.

3. On the Create Repository screen, select the Create operation to load component schemas into an existing database. Then click Next.

4. On the Database Connection Details screen, enter connection information for the existing database as follows:

   Database Type: Oracle Database

   Host Name: Name of the computer on which the database is running. For a RAC Database, specify the VIP name or one node name. Example: INFRADBHOST1-VIP or INFRADBHOST2-VIP

   Port: The port number for the database. Example: 1521

   Service Name: The service name of the database. Example: idmedg.mycompany.com

   Username: SYS

   Password: The SYS user password

   Role: SYSDBA

   Click Next.

5. On the Select Components screen, create a new prefix and select the components to be associated with this deployment:

   Create a New Prefix: edgidm (Entering a prefix is optional if you select only Identity Management (Oracle Internet Directory - ODS) in the Components field)

   Components: Select Identity Management (Oracle Internet Directory - ODS). De-select all other schemas.

   Click Next.

6. On the Schema Passwords screen, enter the passwords for the main and additional (auxiliary) schema users and click Next.

7. On the Map Tablespaces screen, select the tablespaces for the components.

8. On the Summary screen, click Create.

9. On the Completion Summary screen, click Close.

4.5 Installing the Oracle Internet Directory Instances

This section describes how to install the Oracle Internet Directory components (OIDHOST1 and OIDHOST2) on the directory tier with the Metadata Repository. The procedures for the installations are very similar, but the selections in the configuration options screen differ.

4.5.1 Synchronizing the Time on Oracle Internet Directory Nodes

Before setting up Oracle Internet Directory in a high availability environment, you must ensure that the time on the individual Oracle Internet Directory nodes is synchronized.

Synchronize the time on all nodes using Greenwich Mean Time so that there is a discrepancy of no more than 250 seconds between them.

If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes, the OID Monitor on the node that is behind stops all servers on its node. To correct this problem, synchronize the time on the node that is behind in time. The OID Monitor automatically detects the change in the system time and starts the Oracle Internet Directory servers on its node.

4.5.2 Installing the First Oracle Internet Directory

Follow these steps to install the 11.1.1.1.0 Oracle Internet Directory on OIDHOST1:

1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.

2. If you plan on provisioning the Oracle Internet Directory Instance on shared storage, ensure that the appropriate shared storage volumes are mounted on OIDHOST1 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."

3. Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "389"
   netstat -an | grep "636"
   

   If the ports are in use (if the command returns output identifying the port), you must free them.

   On UNIX:

   Remove the entries for ports 389 and 636 in the /etc/services file and restart the services, or restart the computer.

4. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

5. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

   # The non-SSL port for Oracle Internet Directory
   Oracle Internet Directory port = 389
   # The SSL port for Oracle Internet Directory
   Oracle Internet Directory (SSL) port = 636
   

6. Start the Oracle Identity Management 11g Installer as follows:

   On UNIX, issue this command: runInstaller

   The runInstaller file is in the ../install/platform directory where platform is a platform such as Linux or Solaris.

   The Specify Oracle Inventory screen is displayed.

7. On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:

   • Specify the Inventory Directory: /u01/app/oraInventory

   • Operating System Group Name: oinstall

     A dialog box appears with the following message:

     "Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u01/app/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option"

     Log in as root and run the "/u01/app/oraInventory/createCentralInventory.sh"

     This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.

     Note:

     The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, make sure to check and see:

     1. If the /etc/oraInst.loc file exists

     2. If the file exists, the Inventory directory listed is valid

     3. The user performing the installation has write permissions for the Inventory directory

8. On the Welcome screen, click Next.

9. On the Select Installation Type screen, select Install and Configure and then click Next.

10. On the Prerequisite Checks screen, the installer completes the prerequisite check. If any fail, please fix them and restart your Installation.

    Click Next.

11. On the Select Domain screen, select Configure without a Domain.

    Click Next.

12. On the Specify Installation Location screen, specify the following values:

    • Oracle Home Location:

      /u01/app/oracle/product/fmw/idm
      

    • Oracle Instance Location:

      /u01/app/oracle/admin/oid_inst1
      

    • Oracle Instance Name: oid_inst1

      Note:

      Ensure that the Oracle Home Location directory path for OIDHOST1 is the same as the Oracle Home Location path for OIDHOST2. For example, if the Oracle Home Location directory path for OIDHOST1 is:

      /u01/app/oracle/product/fmw/idm

      then the Oracle Home Location directory path for OIDHOST2 must be:

      /u01/app/oracle/product/fmw/idm

    Click Next.

13. On the Specify Email for Security Updates screen, specify these values:

    • Email Address: Provide the email address for your My Oracle Support account.

    • Oracle Support Password: Provide the password for your My Oracle Support account.

    • Check the check box next to the I wish to receive security updates via My Oracle Support field.

    Click Next.

14. On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and then click Next.

15. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.

    Click Next.

16. On the Specify Schema Database screen, select Use Existing Schema and specify the following values:

    • Connect String:

      infradbhost1-vip.mycompany.com:1521:idmdb1^infradbhost2-vip.mycompany.com:1521:idmdb2@idmedg.mycompany.com
      

      Note:

      The RAC database connect string information needs to be provided in the format host1:port1:instance1^host2:port2:instance2@servicename.

      During this installation, it is not required for all the RAC instances to be up. If one RAC instance is up, the installation can proceed.

      It is required that the information provided above is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each RAC instance, and the service name provided must be configured for all the specified RAC instances.

      Any incorrect information entered in the RAC database connect string has to be corrected manually after the installation.

    • User Name: ODS

    • Password: ******

    Click Next.

17. On the Configure OID screen, specify the Realm and enter the Administrator (cn=orcladmin) password and click Next.

18. On the Installation Summary screen, review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.

19. On the Installation Progress screen on UNIX systems, a dialog box appears that prompts you to run the oracleRoot.sh script. Open a window and run the script, following the prompts in the window.

    Click OK.

20. On the Configuration screen, multiple configuration assistants are launched in succession; this process can be lengthy. Wait for the configuration process to finish.

21. On the Installation Complete screen, click Finish to confirm your choice to exit.

22. To validate the installation of the Oracle Internet Directory instance on OIDHOST1, issue these commands:

    ldapbind -h oidhost1.mycompany.com -p 389 -D "cn=orcladmin" -q
    ldapbind -h oidhost1.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
    

    Note:

    See the "Configuring Your Environment" section of Oracle Fusion Middleware User Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

4.5.3 Installing an Additional Oracle Internet Directory

The schema database must be running before you perform this task. Follow these steps to install the 11.1.1.1.0 Oracle Internet Directory on OIDHOST2:

1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.

2. If you plan on provisioning the Oracle Internet Directory Instance on shared storage, ensure that the appropriate shared storage volumes are mounted on OIDHOST2 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."

3. Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "389"
   netstat -an | grep "636"
   

   If the ports are in use (if the command returns output identifying the port), you must free them.

   On UNIX:

   Remove the entries for ports 389 and 636 in the /etc/services file and restart the services, or restart the computer.

4. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

5. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

   # The non-SSL port for Oracle Internet Directory
   Oracle Internet Directory port = 389
   # The SSL port for Oracle Internet Directory
   Oracle Internet Directory (SSL) port = 636
   

6. Start the Oracle Identity Management 11g Installer as follows:

   On UNIX, issue this command: runInstaller

   The runInstaller file is in the ../install/platform directory where platform is a platform such as Linux or Solaris.

   The Specify Oracle Inventory screen is displayed.

7. On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:

   • Specify the Inventory Directory: /u01/app/oraInventory

   • Operating System Group Name: oinstall

     A dialog box appears with the following message:

     "Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u01/app/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option"

     Log in as root and run the "/u01/app/oraInventory/createCentralInventory.sh"

     This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.

     Note:

     The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, make sure to check and see:

     1. If the /etc/oraInst.loc file exists

     2. If the file exists, the Inventory directory listed is valid

     3. The user performing the installation has write permissions for the Inventory directory

8. On the Welcome screen, click Next.

9. On the Select Installation Type screen, select Install and Configure and then click Next.

10. On the Prerequisite Checks screen, the installer completes the prerequisite check. If any fail, please fix them and restart your installation.

    Click Next.

11. On the Select Domain screen, select Configure without a Domain.

    Click Next.

12. On the Specify Installation Location screen, specify the following values:

    • Oracle Home Location:

      /u01/app/oracle/product/fmw/idm
      

    • Oracle Instance Location:

      /u01/app/oracle/admin/oid_inst2
      

    • Oracle Instance Name: oid_inst2

      Note:

      Ensure that the Oracle Home Location directory path for OIDHOST1 is the same as the Oracle Home Location path for OIDHOST2. For example, if the Oracle Home Location directory path for OIDHOST1 is:

      /u01/app/oracle/product/fmw/idm

      then the Oracle Home Location directory path for OIDHOST2 must be:

      /u01/app/oracle/product/fmw/idm

    Click Next.

13. On the Specify Email for Security Updates screen, specify these values:

    • Email Address: Provide the email address for your My Oracle Support account.

    • Oracle Support Password: Provide the password for your My Oracle Support account.

    • Check the check box next to the I wish to receive security updates via My Oracle Support field.

    Click Next.

14. On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.

15. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.

    Click Next.

16. On the Specify Schema Database screen, select Use Existing Schema and specify the following values:

    • Connect String:

      infradbhost1-vip.mycompany.com:1521:idmdb1^infradbhost2-vip.mycompany.com:1521:idmdb2@idmedg.mycompany.com
      

      Note:

      The RAC database connect string information needs to be provided in the format host1:port1:instance1^host2:port2:instance2@servicename.

      During this installation, it is not required for all the RAC instances to be up. If one RAC instance is up, the installation can proceed.

      It is required that the information provided above is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each RAC instance, and the service name provided must be configured for all the specified RAC instances.

      Any incorrect information entered in the RAC database connect string has to be corrected manually after the installation.

    • User Name: ODS

    • Password: ******

    Click Next.

17. The ODS Schema in use message appears. The ODS schema chosen is already being used by the existing Oracle Internet Directory instance. Therefore, the new Oracle Internet Directory instance being configured would re-use the same schema.

    Choose Yes to continue.

    A popup window with this message appears:

    "Please ensure that the system time on this Identity Management Node is in sync with the time on other Identity management Nodes that are part of the Oracle Application Server Cluster (Identity Management) configuration. Failure to ensure this may result in unwanted instance failovers, inconsistent operational attributes in directory entries and potential inconsistent behavior of password state policies."

    Ensure that the system time between IDMHOST1 and IDMHOST2 is synchronized.

    Click OK to continue.

18. On the Specify OID Admin Password screen, specify the OID Admin password and click Next.

19. On the Installation Summary screen, review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.

20. On the Installation Progress screen on UNIX systems, a dialog box appears that prompts you to run the oracleRoot.sh script. Open a window and run the script, following the prompts in the window.

    Click OK.

21. On the Configuration screen, multiple configuration assistants are launched in succession; this process can be lengthy. Wait for the configuration process to finish.

22. On the Installation Complete screen, click Finish to confirm your choice to exit.

23. To validate the installation of the Oracle Internet Directory instance on OIDHOST2, issue these commands:

    ldapbind -h oidhost2.mycompany.com -p 389 -D "cn=orcladmin" -q
    ldapbind -h oidhost2.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
    

    Note:

    See the "Configuring Your Environment" section of Oracle Fusion Middleware User Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

4.5.4 Registering Oracle Internet Directory with the WebLogic Server Domain

All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed using the Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Internet Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.

To register the Oracle Internet Directory instances installed on OIDHOST1 and OIDHOST2, follow these steps:

1. Set the ORACLE_HOME variable. For example, on OIDHOST1 and OIDHOST2, issue this command:

   export ORACLE_HOME=/u01/app/oracle/product/fmw/idm
   

2. Set the ORACLE_INSTANCE variable. For example:

   On OIDHOST1, issue this command:

   export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst1
   

   On OIDHOST2, issue this command:

   export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst2
   

3. Execute the opmnctl registerinstance command on both OIDHOST1 and OIDHOST2:

   ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName-VIP 
   -adminPort WLSPort -adminUsername adminUserName
   

   For example, on OIDHOST1 and OIDHOST2:

   ORACLE_INSTANCE/bin/opmnctl registerinstance \
     -adminHost idmhost-vip.mycompany.com \
     -adminPort 7001 -adminUsername weblogic
   
   Command requires login to weblogic admin server (idmhost1.mycompany.com)
    Username: weblogic
    Password: *******
   

   Note:

   For additional details on registering Oracle Internet Directory components with a WebLogic Server domain, see the "Registering an Oracle Fusion Middleware Instance or Component with the WebLogic Server" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

4.6 Installing the Oracle Virtual Directory Instances

Follow these steps to install the Oracle Virtual Directory components (OVDHOST1 and OVDHOST2) on the directory tier with Oracle Internet Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.

4.6.1 Installing the First Oracle Virtual Directory

Follow these steps to install the Release 11g Oracle Virtual Directory on OVDHOST1.

1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.

2. If you plan on provisioning the Oracle Virtual Directory Instance on shared storage, ensure that the appropriate shared storage volumes are mounted on OVDHOST1 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."

3. Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "6501"
   netstat -an | grep "7501"
   

4. If the ports are in use (if the command returns output identifying the port), you must free them.

   On UNIX:

   Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, or restart the computer.

5. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

6. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

   # The non-SSL port for Oracle Virtual Directory
   Oracle Virtual Directory port = 6501
   # The SSL port for Oracle Virtual Directory
   Oracle Virtual Directory (SSL) port = 7501
   

7. Start the Oracle Identity Management 11g Installer as follows:

   On UNIX, issue this command: runInstaller

   The runInstaller file is in the ../install/platform directory where platform is a platform such as Linux or Solaris.

   The Specify Oracle Inventory screen is displayed.

8. On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:

   • Specify the Inventory Directory: /u01/app/oraInventory

   • Operating System Group Name: oinstall

     A dialog box appears with the following message:

     "Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u01/app/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option"

     Log in as root and run the "/u01/app/oraInventory/createCentralInventory.sh"

     This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.

     Note:

     The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, make sure to check and see:

     1. If the /etc/oraInst.loc file exists

     2. If the file exists, the Inventory directory listed is valid

     3. The user performing the installation has write permissions for the Inventory directory

9. On the Welcome screen, click Next.

10. On the Select Installation Type screen, select Install and Configure and then click Next.

11. On the Prerequisite Checks screen, the installer completes the prerequisites check. If any fail, please fix them and restart your installation.

    Click Next.

12. On the Select Domain screen, select Configure without a Domain.

    Click Next.

13. On the Specify Installation Location screen, specify the following values:

    • Oracle Home Location:

      /u01/app/oracle/product/fmw/idm
      

    • Oracle Instance Location:

      /u01/app/oracle/admin/ovd_inst1
      

    • Oracle Instance Name:

      ovd_inst1
      

      Note:

      Ensure that the Oracle Home Location directory path for OVDHOST1 is the same as the Oracle Home Location directory path for OVDHOST2. For example, if the Oracle Home Location directory path for OVDHOST1 is:

      /u01/app/oracle/product/fmw/idm

      then the Oracle Home Location directory path for OVDHOST2 must be:

      /u01/app/oracle/product/fmw/idm

    Click Next.

14. On the Specify Email for Security Updates screen, specify these values:

    • Email Address: Provide the email address for your My Oracle Support account.

    • Oracle Support Password: Provide the password for your My Oracle Support account.

    • Check the check box next to the I wish to receive security updates via My Oracle Support field.

    Click Next.

15. On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and click Next.

16. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.

    Click Next.

17. On the Specify Virtual Directory screen:

    In the Client Listeners section, enter:

    • LDAP v3 Name Space:

      dc=us,dc=mycompany,dc=com
      

    In the OVD Administrator section, enter:

    • Administrator User Name: cn=orcladmin

    • Password: *******

    • Confirm Password: *******

    Select Configure the Administrative Server in secure mode.

    Click Next.

18. On the Installation Summary screen, review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.

19. On the Installation Progress screen on UNIX systems, a dialog box appears that prompts you to run the oracleRoot.sh script. Open a window and run the script, following the prompts in the window.

    Click Next.

20. On the Configuration screen, multiple configuration assistants are launched in succession; this process can be lengthy. Wait for the configuration process to finish.

21. On the Installation Complete screen, click Finish to confirm your choice to exit.

22. To validate the installation of the Oracle Virtual Directory instance on OVDHOST1, issue this command:

    ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q
    

    Note:

    See the "Configuring Your Environment" section of Oracle Fusion Middleware User Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

    To perform an SSL validation of the Oracle Virtual Directory instance on OVDHOST1, see the instructions in Section 4.6.1.1, "SSL Validation for Oracle Virtual Directory."

4.6.1.1 SSL Validation for Oracle Virtual Directory

Oracle Virtual Directory is configured to use the SSL Server Authentication Only Mode by default. When using command line tools like ldapbind to validate a connection using connection secured by SSL Server Authentication mode, the server certificate must be stored in an Oracle Wallet. Follow the steps below to perform this task:

1. Create an Oracle Wallet by executing the following command:

   ORACLE_COMMON_HOME/bin/orapki wallet create -wallet DIRECTORY_FOR_SSL_WALLET -pwd WALLET_PASSWORD
   

2. Export the Oracle Virtual Directory server certificate by executing the following command:

   ORACLE_HOME/jdk/jre/bin/keytool -exportcert -keystore OVD_KEYSTORE_FILE
   -storepass PASSWORD -alias OVD_SERVER_CERT_ALIAS -rfc -file OVD_SERVER_CERT_FILE
   

3. Add the Oracle Virtual Directory server certificate to the Oracle Wallet by executing the following command:

   ORACLE_COMMON_HOME/bin/orapki wallet add -wallet DIRECTORY_FOR_SSL_WALLET
   -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
   

4. Run the command below to verify that the Oracle Virtual Directory instance is listening on the SSL LDAP port. Use the wallet from Step 3:

   ORACLE_HOME/bin/ldapbind -D "cn=orcladmin" -q -U 2 -h HOST -p SSL_PORT -W
   "file://DIRECTORY_FOR_SSL_WALLET" -Q
   

   Note:

   If you are using default settings after installing 11g Release 1 (11.1.1), you can use the following values for the variables described in this section:

   • For OVD_KEYSTORE_FILE, use:

     ORACLE_INSTANCE/config/OVD/ovd1/keystores/keys.jks
     

   • For OVD_SERVER_CERT_ALIAS, use serverselfsigned

   • For PASSWORD used for the -storepass option, use the orcladmin account password.

   • OVD_SERVER_CERT_FILE refers to the file where the certificate is saved. The keytool utility creates this file under the location and filename specified by the OVD_SERVER_CERT_FILE parameter.

4.6.2 Installing an Additional Oracle Virtual Directory

Follow these steps to install the Release 11g Oracle Virtual Directory on OVDHOST2.

1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.

2. If you plan on provisioning the Oracle Virtual Directory Instance on shared storage, ensure that the appropriate shared storage volumes are mounted on OVDHOST1 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."

3. Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "6501"
   netstat -an | grep "7501"
   

4. If the ports are in use (if the command returns output identifying the port), you must free them.

   On UNIX:

   Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, or restart the computer.

5. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

6. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

   # The non-SSL port for Oracle Virtual Directory
   Oracle Virtual Directory port = 6501
   # The SSL port for Oracle Virtual Directory
   Oracle Virtual Directory (SSL) port = 7501
   

7. Start the Oracle Identity Management 11g Installer as follows:

   On UNIX, issue this command: runInstaller

   The runInstaller file is in the ../install/platform directory where platform is a platform such as Linux or Solaris.

   The Specify Oracle Inventory screen is displayed.

8. On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:

   • Specify the Inventory Directory: /u01/app/oraInventory

   • Operating System Group Name: oinstall

     A dialog box appears with the following message:

     "Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u01/app/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option"

     Log in as root and run the "/u01/app/oraInventory/createCentralInventory.sh"

     This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.

     Note:

     The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, make sure to check and see:

     1. If the /etc/oraInst.loc file exists

     2. If the file exists, the Inventory directory listed is valid

     3. The user performing the installation has write permissions for the Inventory directory

9. On the Welcome screen, click Next.

10. On the Select Installation Type screen, select Install and Configure and then click Next.

11. On the Prerequisite Checks screen, click Next.

12. On the Select Domain screen, select Configure without a Domain.

    Click Next.

13. On the Specify Installation Location screen, specify the following values:

    • Oracle Home Location:

      /u01/app/oracle/product/fmw/idm
      

    • Oracle Instance Location:

      /u01/app/oracle/admin/ovd_inst2
      

    • Oracle Instance Name:

      ovd_inst2
      

      Note:

      Ensure that the Oracle Home Location directory path for OVDHOST1 is the same as the Oracle Home Location directory path for OVDHOST2. For example, if the Oracle Home Location directory path for OVDHOST1 is:

      /u01/app/oracle/product/fmw/idm

      then the Oracle Home Location directory path for OVDHOST2 must be:

      /u01/app/oracle/product/fmw/idm

    Click Next.

14. On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and click Next.

15. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.

    Click Next.

16. On the Specify Virtual Directory screen:

    In the Client Listeners section, enter:

    • LDAP v3 Name Space:

      dc=us,dc=mycompany,dc=com
      

    In the OVD Administrator section, enter:

    • Administrator User Name: cn=orcladmin

    • Password: *******

    • Confirm Password: *******

    Select Configure the Administrative Server in secure mode.

    Click Next.

17. On the Installation Summary screen, review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.

18. On the Installation Progress screen on UNIX systems, a dialog box appears that prompts you to run the oracleRoot.sh script. Open a window and run the script, following the prompts in the window.

    Click Next.

19. On the Configuration screen, multiple configuration assistants are launched in succession; this process can be lengthy. Wait for the configuration process to finish.

20. On the Installation Complete screen, click Finish to confirm your choice to exit.

21. To validate the installation of the Oracle Virtual Directory instance on OVDHOST2, issue this command:

    ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q
    

    Note:

    See the "Configuring Your Environment" section of Oracle Fusion Middleware User Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

    To perform an SSL validation of the Oracle Virtual Directory instance on OVDHOST2, see the instructions in Section 4.6.1.1, "SSL Validation for Oracle Virtual Directory." Also, the wallet on each node should contain certificates from both OVDHOST1 and OVDHOST2. Step 3 in Section 4.6.1.1, "SSL Validation for Oracle Virtual Directory" describes how to add a certificate to a wallet.

4.6.3 Registering Oracle Virtual Directory with the Oracle WebLogic Server Domain

All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed using the Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Virtual Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.

To register the Oracle Virtual Directory instances installed on OVDHOST1 and OVDHOST2, follow these steps:

1. Set the ORACLE_HOME variable. For example, on OVDHOST1 and OVDHOST2, issue this command:

   export ORACLE_HOME=/u01/app/oracle/product/fmw/idm
   

2. Set the ORACLE_INSTANCE variable. For example:

   On OVDHOST1, issue this command:

   export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst1
   

   On OVDHOST2, issue this command:

   export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst2
   

3. Execute the opmnctl registerinstance command on both OVDHOST1 and OVDHOST2:

   ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName-VIP
   -adminPort WLSPort -adminUsername adminUserName
   

   For example, on OVDHOST1 and OVDHOST2:

   ORACLE_INSTANCE/bin/opmnctl registerinstance \
      -adminHost idmhost-vip.mycompany.com \
      -adminPort 7001 -adminUsername weblogic
   
   Command requires login to weblogic admin server (idmhost1.mycompany.com)
    Username: weblogic
    Password: *******
   

   Note:

   For additional details on registering Oracle Internet Directory components with a WebLogic Server domain, see the "Registering a System Component Domain Using OPMNCTL" section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

4.6.4 Configuring Oracle Virtual Directory Communication with LDAP

Oracle Virtual Directory uses adapters to connect to its underlying data repositories so it can virtualize data and route data to and from the repositories. Oracle Virtual Directory uses an LDAP Adapter to connect to an underlying LDAP repository.

Note:

Do not configure Oracle Virtual Directory communication with LDAP until after Oracle Directory Services Manager is installed in Section 5.1, "Extending the Oracle WebLogic Domain with DIP and ODSM."

The LDAP Adapter enables Oracle Virtual Directory to present data as a sub tree of the virtual directory by proving real-time directory structure and schema translations. One LDAP Adapter is required for each distinct LDAP source you want to connect to. For example, if you have two LDAP repositories that are replicas of each other, you would deploy one LDAP Adapter and configure it to list the hostnames and ports of the replicas.

Note:

If you plan on using a LDAP repository other than Oracle Internet Directory in your environment, you are required to configure a LDAP Adapter to connect to that repository. For more information on creating and configuring an LDAP Adapter, refer to the "Creating and Configuring Oracle Virtual Directory Adapters" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

4.7 Validating the Directory Tier Components

To validate the directory tier components, ensure that you can connect to each Oracle Internet Directory instance and the load balancing router using these commands:

Note:

See the "Configuring Your Environment" section of Oracle Fusion Middleware User Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

ldapbind -h oidhost1.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oidhost1.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1

ldapbind -h oidhost2.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oidhost2.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1

ldapbind -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oid.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1

Note:

The -q option above prompts the user for a password. LDAP tools have been modified to disable the options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1. Use this feature whenever possible.

Follow the steps in Section 4.6.1.1, "SSL Validation for Oracle Virtual Directory" before running the ldapbind command with the SSL port. Test each Oracle Virtual Directory instance and the load balancing router using these commands:

ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q
ldapbind -h ovdhost1.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 2 -W
"file://DIRECTORY_FOR_SSL_WALLET" -Q

ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q
ldapbind -h ovdhost2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 2 -W
"file://DIRECTORY_FOR_SSL_WALLET" -Q

ldapbind -h ovd.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h ovd.mycompany.com -p 636 -D "cn=orcladmin" -q -U 2 -W
"file://DIRECTORY_FOR_SSL_WALLET" -Q

Note:

The wallets on OVDHOST1 and OVDHOST2 must contain the client certificates from both OVDHOST1 and OVDHOST2, when connecting to the Oracle Virtual Directory instances using the load balancing router host and SSL port.

The directory tier configuration is now as shown in Figure 4-1.

Figure 4-1 Directory Tier Configuration

Description of "Figure 4-1 Directory Tier Configuration"

4.8 Backing Up the Directory Tier Configuration

It is an Oracle best practices recommendation to create a backup file after successfully completing the installation and configuration of each tier or a logical point. Create a backup of the installation after verifying that the install so far is successful. This is a quick backup for the express purpose of immediate restore in case of problems in later steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. After the enterprise deployment setup is complete, the regular deployment-specific Backup and Recovery process can be initiated. More details are described in the Oracle Fusion Middleware Administrator's Guide.

For information on database backups, refer to the Oracle Database Backup and Recovery User's Guide.

To back up the installation to this point, follow these steps:

1. Back up the directory tier:

   1. Shut down the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:

      ORACLE_INSTANCE/bin/opmnctl stopall
      

   2. Create a backup of the Middleware Home on the directory tier as the root user:

      tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
      

   3. Create a backup of the Instance Home on the directory tier as the root user:

      tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
      

   4. Start up the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:

      ORACLE_INSTANCE/bin/opmnctl startall
      

2. Perform a full database backup (either a hot or cold backup). Oracle recommends that you use Oracle Recovery Manager. An operating system tool such as tar can be used for cold backups.

3. Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory:

   IDMHOST1> tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver
   

   Note:

   Create backups on all machines in the directory tier by following the steps shown above.

For more information about backing up the directory tier configuration, see Section 9.4, "Performing Backups and Recoveries."