9 Configuring Identity Management for Maximum High Availability

This chapter provides high-level instructions for setting up a maximum high availability deployment for Oracle Identity Management. This deployment includes two sites in different geographic locations. This is an active-active deployment where both sites are active at the same time when the deployment is functioning normally. If one site fails, the surviving site continues to function.

Each site includes a two-node Oracle Internet Directory cluster configuration, which provides high availability for Oracle Internet Directory. The Oracle Internet Directory cluster configuration at each site uses an Oracle Real Applications Cluster (Oracle RAC) database as the security store, which provides high availability for the database. Chapter 8, "Configuring High Availability for Identity Management Components" provides an introduction to the high availability Oracle Internet Directory cluster configurations.

Multimaster replication is used to replicate data from the master site to the replica site.

This chapter includes the following topics:

9.1 Introduction to the Maximum High Availability Identity Management Deployment

Figure 9-1 shows the maximum high availability deployment for Oracle Identity Management.

Figure 9-1 Maximum High Availability Multimaster Replication Deployment

Description of Figure 9-1 follows
Description of "Figure 9-1 Maximum High Availability Multimaster Replication Deployment"

The master site is located in New York and the replica site is located in Los Angeles.

Each site includes a highly available two-node Oracle Internet Directory cluster configuration that uses an Oracle RAC database as a highly available security store. Each two-node cluster has a load balancer. See Section 8.3.3, "Oracle Internet Directory High Availability Configuration Steps" for information on setting up a two-node Oracle Internet Directory cluster.

The master site in New York consists of:

  • OIDHOST1 and OIDHOST2

    These are the two clustered hosts on which Oracle Internet Directory is installed.

  • RAC_DB1

    This is the Oracle RAC database which serves as the security store for the Oracle Internet Directory instances on OIDHOST1 and OIDHOST2. Multimaster replication is used to replicate data between RAC_DB1 in New York and RAC_DB2 in Los Angeles.

The replica site in Los Angeles consists of:

  • OIDHOST3 and OIDHOST4

    These are the two clustered hosts on which Oracle Internet Directory is installed.

  • RAC_DB2

    This is the Oracle RAC database which serves as the security store for the Oracle Internet Directory instances on OIDHOST3 and OIDHOST4. Multimaster replication is used to replicate data between RAC_DB1 in New York and RAC_DB2 in Los Angeles.

9.2 Overview of Replication

The following types of replication are available for Oracle Internet Directory:

  • LDAP multimaster replication

    Uses the industry-standard Lightweight Directory Access Protocol Version 3 as the replication transport mechanism. This is the recommended protocol to use for replication.

  • Oracle Advanced Database multimaster replication

    Uses the replication feature of Oracle Database. This is also called Advanced Replication.

  • Two-way fan-out replication

    With this replication method, the replicated data is read/write at both the master site and replica site. Fan-out uses LDAP as its transport mechanism.

  • One-way fan-out replication

    With this replication method, the replicated data is read-only at the replica site. Fan-out uses LDAP as its transport mechanism.

For more information about the replication types for Oracle Internet Directory, refer to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

For the maximum availability deployment shown in Figure 9-1, either LDAP or Oracle Advanced Database multimaster replication can be set up.

9.3 Setting up Multimaster Replication

This section describes how to set up LDAP multimaster replication or Oracle Advanced Database multimaster replication for the maximum high availability Oracle Internet Directory deployment shown in Figure 9-1.

Note:

See Section 8.3.3, "Oracle Internet Directory High Availability Configuration Steps" for information on installing the Oracle Internet Directory two-node clusters for the New York and Los Angeles multimaster topology shown in Figure 9-1.

It is recommended that you use LDAP multimaster replication for the maximum availability Oracle Internet Directory deployment.

Note:

New Oracle Fusion Middleware 11g customers who want to install and configure 10.1.4.3 or later Oracle Single Sign-On and Oracle Delegated Administration Services against 11g Oracle Internet Directory and to set up multimaster replication should refer to these steps:
  1. To configure 10.1.4.3 Oracle Single Sign-On and Oracle Delegated Administration Services to run against 11g Oracle Internet Directory, follow the steps in the "Installing Oracle Single Sign-On and Oracle Delegated Administration Services against Oracle Internet Directory" section of Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  2. Perform the steps in the following sections of the "Deploying Identity Management with Multimaster Replication" chapter in the Oracle Fusion Middleware High Availability Guide for release 10.1.4.0.1 (part number B28186-01) to install and configure 10.1.4.3 Oracle Single Sign-On and Oracle Delegated Administration Services for multimaster replication:

    • Section 10.1.4 "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Master Node"

    • Section 10.1.5 "Synchronizing the OracleAS Single Sign-On Schema Password"

    • Section 10.1.6 "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Replica Node"

    • Section 10.1.7 "If You Are Running in SSL Mode"

9.3.1 Setting Up LDAP Multimaster Replication

Follow these steps in the Oracle Enterprise Manager Fusion Middleware Control to set up LDAP multimaster replication:

  1. From the Oracle Internet Directory menu on the Oracle Internet Directory instance home page, choose Administration, and then Replication Management.

  2. You are prompted to log into the replication DN account. Provide the host, port of one of the Oracle Internet Directory servers at the master site (the New York cluster in Figure 9-1), replication DN, and replication DN password. If anonymous binds are enabled on this Oracle Internet Directory component, the replication DN field will fill in automatically when you enter the host and port.

  3. Click the Create icon.

  4. On the Type screen, select the replication type: Multimaster Replication.

  5. Click Next. The Replicas screen displays the replication type you selected.

  6. Provide an agreement name. The agreement name must be unique across all the nodes.

  7. For multimaster replication, enter the host, port, user name (replication DN), and replication password for the primary node and all the secondary nodes.

    Note:

    Enter the host/port of any of the Oracle Internet Directory instances in the cluster.
  8. Click Next to go the Settings page.

  9. In the LDAP Connection field, select Keep Alive if you want the replication server to use same connection for performing multiple LDAP operations. Select Always Use New Connection if you want the server to open a new connection for each LDAP operation.

  10. Enter the Replication Frequency.

  11. Enter the Human Intervention Queue Schedule. This is the interval, in minutes, at which the directory replication server repeats the change application process.

  12. The Replication Server Start Details section has options to start the replication server and enable bootstrap. Choose Start Server to start the appropriate server instance. You can also enable bootstrap by choosing Enable Bootstrap. You must select the Instance Name and Component Name from the dropdown lists to start the server.

  13. Click Next to go to the Scope page. The default primary naming context will be filled in. Keep the default settings.

  14. Click Next. The Summary page displays a summary of the replication agreement you are about to create. To make any changes to information on the Summary page, click Back.

  15. Click Finish to create the replication agreement.

For detailed instructions on setting up LDAP multimaster replication, read the Oracle Enterprise Manager tool tips or refer to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

9.3.1.1 Adding a Node in LDAP Multimaster Replication

Follow these steps in the Oracle Enterprise Manager Fusion Middleware Control to add a node in an LDAP multimaster replication deployment:

  1. From the Oracle Internet Directory menu on the Oracle Internet Directory instance home page, select Administration, and then Replication Management.

  2. You will be prompted to log into the replication DN account. Provide the host, port and replication DN password of any of the replicas in the multimaster replication deployment.

  3. In the upper half of the screen, click on the appropriate multimaster replication agreement row to enable editing.

  4. Click Edit on the Replication Agreements page.

  5. In the lower half of the screen, click the Replicas tab.

  6. To add a new replica to the multimaster replication deployment, click the Create icon.

  7. In the popup window, provide the host, port and replication DN password details for the new node. Click Add.

  8. Click Apply. The replica will be added to the existing multimaster directory replication group (DRG).

For more detailed information on adding a node in an LDAP multimaster replication deployment, see Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

9.3.1.2 Deleting a Node in LDAP Multimaster Replication

Follow these steps in the Oracle Enterprise Manager Fusion Middleware Control to delete a node in an LDAP multimaster replication deployment:

  1. From the Oracle Internet Directory menu on the Oracle Internet Directory instance home page, select Administration, and then Replication Management.

  2. You will be prompted to log into the replication DN account. Provide the host, port and replication DN password of any of the replicas in the multimaster replication deployment.

  3. In the upper half of the screen, click on the appropriate multimaster replication agreement row to enable editing.

  4. Click Edit on Replication Agreement screen.

  5. In the lower half of the screen, click the Replicas tab.

  6. Click the replica you want to delete from the multimaster replication deployment. The Delete icon becomes enabled.

  7. Click the Delete icon.

  8. Click the Apply button to remove the replica from the LDAP multimaster directory replication group (DRG).

For more detailed information on deleting a node in an LDAP multimaster replication deployment, see Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

9.3.2 Setting Up Oracle Advanced Database Multimaster Replication

The detailed steps for setting up Oracle Advanced Database multimaster replication are available in the "Installing and Setting Up an Oracle Database Advanced Replication-Based Multimaster Replication Group" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Table 9-1 shows the subsections of the "Installing and Setting Up an Oracle Database Advanced Replication-Based Multimaster Replication Group" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It also describes the instructions to perform in each subsection to set up Oracle Advanced Database multimaster replication for the maximum high availability Oracle Internet Directory deployment shown in Figure 9-1.

Table 9-1 Steps for Setting Up Oracle Database Advanced Multimaster Replication

Subsection Instructions

Task 1: Install Oracle Internet Directory on the Master Definition Site (MDS)

This task should already have been performed based on the Note in Section 9.3, "Setting up Multimaster Replication."

Task 2: Install the Oracle Internet Directory on the Remote Master Sites (RMS)

This task should already have been performed based on the Note in Section 9.3, "Setting up Multimaster Replication."

If an Existing Master is Used as a Remote Master Site

Set up one site as the master definition site (MDS), for example, the New York site. Then set up one Oracle Internet Directory node in the cluster at the master site (for example, OIDHOST1) to be the master host. OIDHOST1 will be the host in the master site cluster where the replication server will be configured and will run. When the setup steps require a reference to a replication server, process, or port for the MDS, specify the correct value for OIDHOST1.

Set up another site as the remote master site (RMS), for example, the Los Angeles site. Then set up one Oracle Internet Directory node in the cluster at the remote site (for example, OIDHOST3) to be the replica host. The replica host is referred to as the "new node" in the "If an Existing Master is Used as a Remote Master Site" section). OIDHOST3 will be the host in the Los Angeles cluster where the replication server will be configured and will run. When the setup steps require a reference to a replication server, process, or port for the RMS, specify the correct value for OIDHOST3.

Task 3: Set Up Advanced Replication for a Directory Replication Group

Follow the instructions for this task.

On All Nodes, Prepare the Oracle Net Services Environment for Replication

Perform the steps in this subsection in all the database Oracle homes and in all the Oracle Internet Directory Oracle homes in the New York site and the Los Angeles site.

From the MDS, Configure Advanced Replication For Directory Replication

Perform the steps in this subsection in all of the Oracle Internet Directory Oracle homes in New York and Los Angeles, with one exception:

When you configure Advanced Replication using the Replication Environment Management Tool, execute the command on only the master host at the MDS site (for example, on OIDHOST1 in New York). The replication must be started on only one Oracle Internet Directory host.

Task 4 (Optional): Load Data into the Directory

If you choose to use the bulkload utility, stop all the Oracle Internet Directory instances in all the Oracle Internet Directory homes, and use only one of the Oracle Internet Directory instances to perform the bulkload operation.

Task 5: Ensure that Oracle Directory Server Instances are Started on All the Nodes

Perform this task in all the Oracle Internet Directory Oracle home directories.

Task 6: Start the Replication Servers on All Nodes in the DRG

Start the replication server on only OIDHOST1 in New York and OIDHOST3 in Los Angeles.


9.3.2.1 Adding a Node in Oracle Advanced Database Multimaster Replication

The detailed steps for adding a node in an Oracle Advanced Database multimaster replication deployment are in the "Adding a Node for Oracle Database Advanced Replication-Based Multimaster Replication Group" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Table 9-2 shows the subsections of the "Adding a Node for Oracle Database Advanced Replication-Based Multimaster Replication Group" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It also describes the instructions to perform in each subsection to add a node to the maximum high availability Oracle Internet Directory deployment shown in Figure 9-1.

Table 9-2 Steps for Adding a Node in Oracle Advanced Database Replication

Subsection Instructions

Prepare the Oracle Net Services Environment

Perform the steps in this subsection in all the database Oracle homes and in all the Oracle Internet Directory Oracle homes in the master definition site (New York site) and the remote master definition site (Los Angeles site).

Also, perform these steps in the database Oracle homes and in all the Oracle Internet Directory Oracle homes for the new cluster that is being added.

Task 1: Stop the Directory Replication Server on All Nodes

Stop the replication server on OIDHOST1 in New York and on OIDHOST3 in Los Angeles.

Task 2: Identify a Sponsor Node and Install Oracle Internet Directory on the Remote Site

OIDHOST1 in the New York cluster will be the sponsor node and the MDS.

Task 3: Switch the Sponsor Node to Read-Only Mode

Perform this task in the Oracle home for Oracle Internet Directory on OIDHOST1 and OIDHOST2.

Task 4: Back up the Sponsor Node by Using ldifwrite

Perform this task in the Oracle home for Oracle Internet Directory on OIDHOST1.

Task 5: Perform Advanced Replication Add Node Setup

Perform this task in the Oracle home for Oracle Internet Directory on OIDHOST1.

Task 6: Switch the Sponsor Node to Updatable Mode

Perform this task in the Oracle home for Oracle Internet Directory on OIDHOST1 and OIDHOST2.

Task 7: Start the Directory Replication Server on All Nodes Except the New Node

Perform this task on OIDHOST1 in the New York cluster and on OIDHOST3 in the Los Angeles cluster.

Task 8: Load Data into the New Node by Using bulkload

Perform this task on one of the Oracle Internet Directory Oracle homes in the new cluster that is being added.

Stop all the Oracle Internet Directory processes on the new node before using bulkload.

Task 9: Start the Directory Server on the New Node

Perform this task on all of the Oracle Internet Directory nodes in the new cluster that is being added.

Task 10: Start the Directory Replication Server on the New Node

Perform this task on one of the Oracle Internet Directory Oracle homes in the new cluster that is being added.


9.3.2.2 Deleting a Node in Oracle Advanced Database Multimaster Replication

The detailed steps for deleting a node in an Oracle Advanced Database multimaster replication deployment are in the "Deleting a Node from a Multimaster Replication Group" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Table 9-3 shows the subsections of the "Deleting a Node from a Multimaster Replication Group" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It also describes the instructions to perform in each subsection to delete a node in the maximum high availability Oracle Internet Directory deployment shown in Figure 9-1. In the instructions below, the MDS is assumed to be the New York site.

Table 9-3 Steps for Deleting a Node in Oracle Advanced Database Replication

Subsection Instructions

Task 1: Stop the Directory Replication Server on All Nodes

Perform this task on each node in the Directory Replication Group (DRG).

Task 2: Stop All Oracle Internet Directory Processes in the Node to be Deleted

Perform this task in the node to be deleted.

Task 3: Delete the Node from the Master Definition Site

Perform this task in the Oracle home for Oracle Internet Directory on OIDHOST1.

Task 4: Start the Directory Replication Server on All Nodes

Perform this task on all the remaining nodes in the DRG.