This chapter describes how to configure the Identity Management database repositories. The database can exist either on a separate grid infrastructure or on an Exadata server.
This chapter contains the following topics:
Section 6.1, "Overview of Preparing the Databases for an Identity Management Enterprise Deployment"
Section 6.2, "Verifying the Database Requirements for an Enterprise Deployment"
Section 6.3, "Installing the Database for an Enterprise Deployment"
Section 6.5, "Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU"
The Identity Management components in the enterprise deployment use database repositories. This chapter describes how to perform the following steps:
Verify the database requirements as described in Section 6.2, "Verifying the Database Requirements for an Enterprise Deployment."
Install and configure the Oracle database repositories. See the installation guides listed in the "Related Documents" section of the Preface and Section 6.3, "Installing the Database for an Enterprise Deployment."
Create database services, as described in Section 6.4, "Creating Database Services."
Create the required Oracle schemas in the database using the Repository Creation Utility (RCU). See Section 6.5, "Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU."
Before loading the metadata repository into your databases, check that they meet the requirements described in these subsections:
For Oracle Identity management, a number of separate databases are recommended. Table 6-1 provides a summary of these databases. Which database or databases you use depends on the topology that you are implementing.
The Oracle Metadata Services (MDS) Repository is a particular type of repository that contains metadata for some Oracle Fusion Middleware components. It can also include custom Java EE applications developed by your organization.
Table 6-1 Mapping between Databases and Schemas
| Database Names | Database Hosts | Service Names | Schemas in Database |
|---|---|---|---|
|
IDMDB |
IDMDBHOST1 IDMDBHOST2 |
|
OAM, IAU, OIM, ORASDPM, MDS, SOA_INFRA |
|
|
OPSS, MDS |
The following sections apply to all the databases listed in Table 6-1.
The database used to store the metadata repository should be highly available in its own right, for maximum availability Oracle recommends the use of an Oracle Real Application Clusters (RAC) database.
Ideally the database should use Oracle Automatic Storage Management (ASM) for the storage of data, however this is not necessary.
If using ASM, then ASM should be installed into its own Oracle home and have two disk groups:
One for the Database Files
One for the Flash Recovery Area
If you are using Oracle ASM, best practice is to also use Oracle Managed Files.
To check if your database is certified or to see all certified databases, refer to the "Certified Databases" section in the Certification Document:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
To determine the version of your installed Oracle Database, execute the following query at the SQL prompt:
select version from sys.product_component_version where product like 'Oracle%';
Patches are required for some versions of Oracle Database.
Table 6-2 lists patches required for Oracle Identity Manager configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.
Table 6-2 Required Patches for Oracle Database 11g (11.1.0.7)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux |
7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G |
|
7000281: DIFFERENCE IN FORALL STATEMENT BEHAVIOR IN 11G |
|
|
8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION |
|
|
8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314 |
If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 10259620. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 6-3 lists the patches required for Oracle Identity Manager configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 6-3 Required Patches for Oracle Database 11g (11.2.0.2.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 (32-bit) Linux x86 (64-bit) |
RDBMS Interim Patch#10259620. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Note:
Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.
In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the metalink note "Wrong Results on 11.2.0.2 with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.
The databases must have the following minimum initialization parameters defined:
Table 6-4 Minimum Initialization Parameters for Oracle RAC Databases
| Parameter | Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Footnote 1 OAM requires a minimum of 800 open cursors in the database. When OIM and OAM are available, the number of open cursors should be 1500.
Note:
For guidelines on setting up optimum parameters for the Database, see Oracle Fusion Middleware Performance and Tuning Guide.
Install and configure the database repository as follows.
For 10g Release 2 (10.2), see the Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for your platform, listed in.
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
For 10g Release 2 (10.2), see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for your platform, listed in "Related Documents".
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
When you run the installer, select the Configure Automatic Storage Management option in the Select Configuration screen to create a separate Automatic Storage Management home.
Oracle Real Application Clusters
For 10g Release 2 (10.2), see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for your platform, listed in "Related Documents".
For 11g Release 1 (11.1), see Oracle Real Application Clusters Installation Guide.
Oracle Real Application Clusters Database
Create a Real Applications Clusters Database with the following characteristics:
Database must be in archive log mode to facilitate backup and recovery.
Optionally, enable the Flashback database.
Create UNDO tablespace of sufficient size to handle any rollback requirements during the Oracle Identity Manager reconciliation process.
Database is created with ALT32UTF8 character set.
Note:
Be sure to verify you have obtained all required patches. For more info, see Section 2.5.3, "Applying Patches and Workarounds."
This section describes how to configure the database for Oracle Fusion Middleware 11g metadata. It contains the following topics:
Section 6.4.1, "Creating Database Services for 10.x and 11.1.x Databases"
Section 6.4.2, "Creating Database Services for 11.2.x Databases"
For complete instructions on creating database services, see the chapter on Workload Management in the Oracle Database Oracle Clusterware and Oracle Real Application Clusters Administration and Deployment Guide. Oracle recommends that a specific database service be used for a product suite, even when product suites share the same database. It is also recommended that the database service used is different than the default database service.
Use the CREATE_SERVICE subprogram to create the database services for the components in your topology. The lists of services to be created are listed in Table 6-1, "Mapping between Databases and Schemas".
Log on to SQL*Plus as the sysdba user by typing:
sqlplus "sys/password as sysdba"
Then run the following command to create a service called oamedg.mycompany.com for Access Manager:
EXECUTE DBMS_SERVICE.CREATE_SERVICE (SERVICE_NAME => 'oamedg.mycompany.com', NETWORK_NAME => 'oamedg.mycompany.com');
Add the service to the database and assign it to the instances using srvctl:
srvctl add service -d idmdb -s oamedg.mycompany.com -r idmdb1,idmdb2
Start the service using srvctl:
srvctl start service -d idmdb -s oamedg.mycompany.com
Use srvctl to create the database services for the components in your topology. The lists of services to be created are listed in Table 6-1, "Mapping between Databases and Schemas".
Create service using the command srvctl add service, as follows.
srvctl add service -d idmdb -s oamedg.mycompany.com -r idmdb1,idmdb2 -q FALSE -m NONE -e NONE -w 5 -z 5
The meanings of the command-line arguments are as follows:
| Option | Argument |
|---|---|
|
-d |
Unique name for the database |
|
-s |
Service name |
|
-r |
Comma separated list of preferred instances |
|
-q |
AQ HA notifications (TRUE or FALSE) |
|
-e |
Failover type (NONE, SESSION, or SELECT) |
|
-m |
Failover method (NONE or BASIC) |
|
-w |
Failover delay (integer) |
|
-z |
Failover retries (integer) |
Start the Service using srvctl start service
srvctl start service -d idmdb -s oamedg.mycompany.com
Validate the service started by using srvctl status service, as follows:
srvctl status service -d idmdb -s oamedg.mycompany.com Service oamedg.mycompany.com is running on instance(s) idmdb1,idmdb2
Validate that the service was created correctly by using srvctl config service:
srvctl config service -d idmdb -s oamedg.mycompany.com Service name: oamedg.mycompany.com Service is enabled Server pool: idmdb_oamedg.mycompany.com Cardinality: 2 Disconnect: false Service role: PRIMARY Management policy: AUTOMATIC DTP transaction: false AQ HA notifications: false Failover type: NONE Failover method: NONE TAF failover retries: 5 TAF failover delay: 5 Connection Load Balancing Goal: LONG Runtime Load Balancing Goal: NONE TAF policy specification: NONE Edition: Preferred instances: idmdb1,idmdb2 Available instances:
Note:
For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.
The database parameters defined in Section 6.3, "Installing the Database for an Enterprise Deployment" are only a guide. You might need to perform additional tuning after the system is in use. For more information, see Database Performance Tuning Guide.
Run the Repository Creation Utility to create the collection of schemas used by Identity Management and Management Services.
In the Database Connection Details screen, provide the information required to connect to an existing database.
On the Select Components screen, provide the following values:
Create a New Prefix: Enter a prefix to be added to the database schemas. Note that all schemas are required to have a prefix. For example, enter EDG. This will allow you to quickly identify the schemas easily when you later configure and extend the Enterprise Deployment domain. In addition, make a note of the password you used for the schemas. You will need this later when you run the Configuration Wizard.
Components: Select the appropriate components from the following table for the topology you are using.
| Product | RCU Option | Comments |
|---|---|---|
|
Oracle Platform Security Services |
AS Common Schemas–Oracle Platform Security Service |
Required to hold policy store information. Mandatory for all topologies. |
|
Oracle Access Management Access Manager |
Identity Management–Access Manager |
Audit Services will also be selected. |
|
Oracle Identity Manager |
Identity Management–Oracle Identity Manager |
Metadata Services, SOA infrastructure, and User Messaging will also be selected. |
For more information about the Repository Creation Utility, see Oracle Fusion Middleware Repository Creation Utility User's Guide.
For more information about the schemas required for an Identify and Access Management installation, see "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
After you have prepared your database, back it up. You can back up your database using the appropriate RMAN commands for your environment. See Oracle Database Backup and Recovery User's Guide.