This chapter describes how to install and configure Oracle Unified Directory (OUD) in the enterprise deployment.
This chapter includes the following topics:
Section 8.1, "Overview of Installing and Configuring Oracle Unified Directory"
Section 8.2, "Prerequisites for Configuring Oracle Unified Directory Instances"
Section 8.4, "Configuring the Oracle Unified Directory Instances"
Section 8.5, "Backing Up the Oracle Unified Directory installation"
Oracle Unified Directory is a required component in the Identity Management enterprise topologies. You use it as the Identity Store, that is, for storing information about users and groups.
In this chapter, you configure two instances of Oracle Unified Directory by using Oracle Unified Directory configuration assistant.
Before configuring the Oracle Unified Directory Instances on IDMHOST1 and IDMHOST2 ensure that the following tasks have been performed:
Synchronize the time on the individual IDMHOSTs nodes so that there is a discrepancy of no more than 250 seconds between them.
Ensure that the load balancer is configured.
Note:
Be sure to verify you have obtained all required patches. For more info, see Section 2.5.3, "Applying Patches and Workarounds."
Perform these steps to install Oracle Unified Directory on IDMHOST1 and IDMHOST2.
Ensure that the system, patch, kernel and other requirements are met. These are listed in Oracle Fusion Middleware Installation Guide for Oracle Identity Management in the Oracle Fusion Middleware documentation library for the platform and version you are using.
Install the JDK as described in Section 9.2.1.1, "Installing JRockit." To start the Oracle Fusion Middleware 11g Oracle Identity Management Installer, change directory to Disk 1 of the installation media and enter the command:
./runInstaller
Then proceed as follows:
On the Specify Inventory Directory screen, do the following:
Enter HOME/oraInventory (/u02/private/oracle/oraInventory), where HOME is the home directory of the user performing the installation (this is the recommended location).
Enter the OS group for the user performing the installation.
Click Next.
Follow the instructions on screen to execute createCentralInventory.sh as root.
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates, or search for updates locally.
Click Next.
On the Prerequisite Checks screen, verify that the checks complete successfully, then click Next.
On the specify Installation Screen Enter:
OUD Base Location Home: IAM_MW_HOME
Oracle Home Directory: oud
Click Next.
On the installation Summary Screen click Install.
On the Installation Progress Screen click Next.
On the installation complete Screen click Finish.
Follow these steps to configure Oracle Unified Directory components in the application tier on IDMHOST1 and IDMHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.
This section contains the following topics:
Section 8.4.1, "Configuring Oracle Unified Directory on IDMHOST1"
Section 8.4.2, "Validating Oracle Unified Directory on IDMHOST1"
Section 8.4.3, "Configuring an Additional Oracle Unified Directory Instance on IDMHOST2"
Section 8.4.4, "Enable Oracle Unified Directory Assured Replication"
Section 8.4.6, "Validating Oracle Unified Directory on IDMHOST2"
Section 8.4.7, "Validating the Oracle Unified Directory Virtual IP Address"
Use the Oracle Unified Directory Configuration Assistant to configure Oracle Unified Directory.
Ensure that ports 1389 (LDAP_DIR_PORT), 1636 (LDAP_DIR_SSL_PORT), 4444 (LDAP_DIR_ADMIN_PORT), and 8989 (LDAP_DIR_REPL_PORT) are not in use by any service on the computer by issuing these commands for both IDMHOST1 and IDMHOST2. If a port is not in use, no output is returned from the command.
To insure that the ports are open, run the following command:
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), free the port.
Set the environment variable JAVA_HOME
Set the environment variable INSTANCE_NAME to:
OUD_ORACLE_INSTANCE
For example:
../../../../u02/private/oracle/config/instances/oud2
Note:
The tool creates the instance home relative to the OUD_ORACLE_HOME, so you must include previous directories to get the instance created in OUD_ORACLE_INSTANCE.
Change Directory to OUD_ORACLE_HOME.
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
On the Welcome screen, click Next.
On the Server Settings screen, enter:
Host Name: The name of the host where Oracle Unified Directory is running, for example: IDMHOST1.mycompany.com
LDAP Listener Port: 1389 (LDAP_DIR_REPL_PORT)
Administration Connector Port: 4444 (LDAP_DIR_ADMIN_PORT)
LDAP Secure Access: Click Configure
In the Security Options page, enter:
SSL Access: Selected.
Enable SSL on Port: 1636 (LDAP_DIR_SSL_PORT)
Certificate: Generate Self Signed Certificate OR provide details of your own certificate.
Click OK
Root User DN: Enter an administrative user for example cn=oudadmin
Password: Enter the password you wish to assign to the ouadmin user.
Password (Confirm): Repeat the password.
Click Next.
On the Topology Options screen:
Select: This server will be part of a replication topology
Enter: Replication Port: 8989
Select: Configure As Secure, if you wish replication traffic to by encrypted.
There is already a server in the topology. Leave it deselected.
Click Next.
On the Directory Data screen, enter:
Directory Base DN: dc=mycompany,dc=com
Directory Data: Only create base entry
Click Next.
On the Oracle Components Integration screen, click Next.
On the Runtime Options screen, click Next.
On the Review screen, verify that the information displayed is correct and click Finish.
On the Finished screen, click Close.
After configuration, you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDMHOST1.mycompany.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you will see a list supportedControl entries returned.
Use the Oracle Unified Directory Configuration Assistant to configure Oracle Unified Directory.
Ensure that ports 1389 (LDAP_DIR_PORT), 1636 (LDAP_DIR_SSL_PORT), 4444 (LDAP_DIR_ADMIN_PORT), and 8989 (LDAP_DIR_REPL_PORT) are not in use by any service on the computer by issuing these commands for both IDMHOST1 and IDMHOST2. If a port is not in use, no output is returned from the command.
To insure that the ports are open, run the following command:
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), free the port.
Set the environment variable JAVA_HOME
Set the environment variable INSTANCE_NAME to:
OUD_ORACLE_INSTANCE
For example:
../../../../u02/private/oracle/config/instances/oud2
Note:
The tool creates the instance home relative to the OUD_ORACLE_HOME, so you must include previous directories to get the instance created in OUD_ORACLE_INSTANCE.
Change Directory to OUD_ORACLE_HOME.
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
On the Welcome screen, click Next.
On the Server Settings screen, enter:
Host Name: The name of the host where Oracle Unified Directory is running, for example: IDMHOST2
LDAP Listener Port: 1389 (LDAP_DIR_PORT)
Administration Connector Port: 4444 (LDAP_DIR_ADMIN_PORT)
LDAP Secure Access
Click Configure
Select SSL Access
Enable SSL on Port: 1636 (LDAP_DIR_SSL_PORT)
Certificate: Generate Self Signed Certificate OR provide details of your own certificate.
Click OK
Root User DN: Enter an administrative user for example cn=oudadmin
Password: Enter the password you wish to assign to the ouadmin user.
Password (Confirm): Repeat the password.
Click Next.
On the Topology Options screen, enter
This server will be part of a replication topology
Replication Port: 8989 (LDAP_DIR_REPL_PORT)
Select Configure As Secure, if you wish replication traffic to be encrypted.
There is already a server in the topology: Selected.
Enter the following:
Host Name: The name of an existing Oracle Unified Directory server host, for example: IDMHOST1.mycompany.com
Administrator Connector Port: 4444 (LDAP_DIR_ADMIN_PORT)
Admin User: Name of the Oracle Unified Directory admin user on IDMHOST1, for example: cn=oudadmin
Admin Password: Administrator password.
Click Next.
If you see a certificate Not Trusted Dialogue, it is because you are using self signed certificates. Click Accept Permanently.
Click Next.
On The Create Global Administrator screen enter:
Global Administrator ID: The name of an account you want to use for managing Oracle Unified Directory replication, for example: oudmanager
Global Administrator Password / Confirmation: Enter a password for this account.
Click Next.
On the Data Replication Screen. select dc=mycompany.com and click Next.
On the Oracle Components Integration screen, click Next.
On the Runtime Options Screen click Next.
On the Review Screen, check that the information displayed is correct and click Finish.
On the Finished screen, click Close.
Ensure that data read from every Oracle Unified Directory instance is current. You do this by enabling Oracle Unified Directory Assured Replication in Safe Read Mode, as follows:
On IDMHOST1, issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig -h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \
set-replication-domain-prop \
--provider-name "Multimaster Synchronization" \
--domain-name "dc=mycompany,dc=com" \
--advanced \
--set assured-type:safe-read \
--trustAll
Confirm that the operation has been successful by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig -h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \
get-replication-domain-prop \
--provider-name "Multimaster Synchronization" \
--domain-name "dc=mycompany,dc=com" \
--advanced \
--property assured-type --property assured-timeout --property group-id \
--trustAll
Note:
password_file is a file that contains the OUD administrator password.
If Safe Mode is enabled, the output looks similar to this:
Property : Value(s) ----------------:---------- assured-timeout : 2 s assured-type : safe-read group-id : 1
Repeat steps 1-2 for each Oracle Unified Directory instance, for example: IDMHOST2.
Oracle Identity Management requires that a number of object classes be created in Oracle Unified Directory. You must perform the following step so that Oracle Unified Directory allows creation of the needed object classes.
Execute the following command on each Oracle Unified Directory instance:
OUD_ORACLE_INSTANCE/OUD/dsconfig -h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \
set-global-configuration-prop \
--set single-structural-objectclass-behavior:warn \
-h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \
--trustAll
Repeat the command for each Oracle Unified Directory instance, for example: IDMHOST2.
After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDMHOST2.mycompany.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you see a list supportedControl entries returned.
Validate Oracle Unified Directory virtual IP address.
To validate the IP address:
On the IDMHOST1, Run the following query:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h oudinternal.mycompany.com -p 1489 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
Stop the OUD Instance on IDMHOST1.
Run the same query:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h oudinternal.mycompany.com -p 1489 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
The query output shows that the OUD instance on IDMHOST2 is serving the request.
Stop the OUD instance on IDMHOST2 and start the instance on IDMHOST1.
Run the query again to show that OUD is configured correctly on both IDMHOST1 and IDMHOST2.
Make sure OUD is started on IDMHOST1 and IDMHOST2.
Perform a backup of the Middleware home and of Oracle Unified Directory, as described in Section 16.6, "Backing Up the Oracle IDM Enterprise Deployment."